HIPAA is a federal law that protects the privacy and security of patients’ Protected Health Information (PHI). The law applies to healthcare providers, health plans, healthcare clearinghouses, and business associates. HIPAA also establishes rules for how PHI can be used and disclosed. In this blog post, we will explore the basics of HIPAA, from what it is and what its main rules are to whether penetration testing is required under HIPAA.
What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act. HIPAA was enacted in 1996, and it requires national standards for protecting sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) has provided the HIPAA Privacy Rule requirements to be implemented by all entities subject to HIPAA rules. These covered entities range from healthcare providers to health insurance companies. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.
HIPAA requires covered entities to take steps to protect the confidentiality, integrity, and availability of PHI. Covered entities must also ensure that PHI is not used or disclosed in a way that violates HIPAA. To do this, covered entities must have policies and procedures in place to comply with HIPAA. They must also train their employees on HIPAA and have security measures in place to protect PHI.
What are HIPAA’s main rules?
HIPAA has two main rules: The Privacy Rule and the Security Rule.
The Privacy Rule establishes national standards for the use and disclosure of PHI. The rule requires covered entities to get patient consent before using or disclosing PHI. The rule also gives patients the right to access their own PHI and to request that their PHI be corrected if inaccurate.
The Security Rule establishes national standards for the security of electronic PHI. The rule requires covered entities to have physical, technical, and administrative safeguards in place to protect PHI. Covered entities must also train their employees on how to protect PHI and have procedures in place to respond to security incidents.
What are the entities subject to HIPAA’s Privacy Rule?
HIPAA applies to four types of entities: Healthcare providers, health plans, healthcare clearinghouses, and business associates.
Healthcare providers are any entity that electronically transmits health information related to certain transactions. These transactions include the following:
- Benefit eligibility inquiries
- Referral authorization requests
- Other transactions subject to HHS-established standards under the HIPAA Transactions Rule.
Health plans are any entities that provide or pay for healthcare services. This includes the following:
- Health, dental, vision, and prescription drug insurance companies.
- Health Maintenance Organizations (HMOs).
- Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurance companies.
- Long-term care insurance entities (excluding nursing homes with fixed-indemnity policies).
- Employer-sponsored group healthcare insurance plans.
- Government- and church-sponsored healthcare insurance plans.
- Multi-employer healthcare insurance plans.
Healthcare clearinghouses are any entities processing non-standard information received from another entity into a standard information (i.e., standard format or data content), or vice versa. In most cases, healthcare clearinghouses shall receive individually identifiable health information – Information as a subset of health information, e.g., demographics – when they are providing these processing services to a healthcare plan or a healthcare provider business associate.
How covered entities must comply with HIPAA’s Security Rule?
The HIPAA Privacy Rule protects PHI, whereas the Security Rule safeguards a subset of information subject to the Privacy Rule. This subset includes any individually identifiable health information a covered entity creates, receives, maintains, or transmits electronically, called electronic protected health information, or e-PHI. Any PHI transmitted verbally or in writing does not apply to the Security Rule.
To become compliant with this HIPAA Security Rule, all covered entities must do the following:
- Ensure the confidentiality, integrity, and availability of all e-PHI data.
- Detect and protect against common threats the security of e-PHI data.
- Protect against any anticipated forbidden uses or disclosures stated by the rule.
- Ensure their workforce is HIPAA-certified compliant.
When considering requests for these forbidden uses and disclosures, all covered entities should base their decisions on professional ethics and best judgment. The HHS Office for Civil Rights, which enforces HIPAA rules, is the office to direct to all complaints. Any HIPAA violations could result in civil monetary or criminal penalties.
Is penetration testing required under HIPAA?
Penetration testing is not an explicitly named requirement for HIPAA compliance but HIPAA does require a risk analysis for which penetration testing is stated as one of the most effective methods to test and validate implemented security controls to protect PHI.
HIPAA compliance is not a one-time event but an ongoing process. HIPAA requires covered entities to review and update their security measures regularly. By understanding HIPAA and taking the necessary steps to comply with its requirements, covered entities can safeguard PHI and avoid costly penalties. The HIPAA process also allows to implement effective security measures to help protect PHI against the top healthcare cybersecurity risks.
Contact us if you need help with your cybersecurity compliance project.