What is the purpose of HIPAA?
Health care in the United States is complicated. As if pretax medical savings accounts, health insurance coverage, and health information technology weren’t confusing enough, the United States Federal government has made it more complex by passing the HIPAA laws – the Health Information Portability and Accountability Act.
It’s actually three laws:
- the HIPAA privacy rule,
- he HIPAA security rule, and
- the HIPAA breach notification rule.
To answer the question, “What is the purpose of HIPAA”:
The purpose of HIPAA is to govern how health data is used and secured.
“Health Data” has a specific definition under HIPAA. HIPAA only covers Protected Health Information, PHI. Anything that:
- Is related to past, present or future health care; and
- Uniquely identifies an individual.
HIPAA also only covers Covered Entities (CEs) and Business Associates (BAs). CEs are those who deal directly with care delivery, such as doctors, hospitals, and group health plans. BAs are those who support them, such as lawyers, billing companies, and cloud services. And remember that group health insurance requirements under HIPAA don’t apply, if there are less than 50 participants.
What is the Purpose of the HIPAA Privacy Rule?
The purpose of the HIPAA Privacy Rule is to define how Covered Entities and Business Associates can use health data, and the ways they are prohibited from using it. There are 70 specific safeguards that the Privacy Rule calls for. The term of art is “permitted uses and disclosures of protected health information”. When you fill out forms at your doctor, that is your permitting the use and disclosure of your information under the HIPAA Privacy Rule.
What is the Purpose of the HIPAA Breach Notification Rule?
The purpose of the HIPAA Breach Notification Rule is to spell out what steps to take in response to data breaches and other HIPAA violations. There are 19 safeguards to the Breach Notification Rule. If you’ve ever gotten a letter from your doctor offering a year of credit protection, you’ve experienced the HIPAA Breach Notification Rule.
What the purpose of HIPAA is not
- HIPAA is not designed to get in the way of required healthcare delivery. The HIPAA rules call for “reasonable and appropriate” safeguards, which allows for a flexible approach that balances the need for privacy and security with patient care.
- HIPAA is not a certifiable standard. There is no such thing as “HIPAA Certified”. You may have heard of HITRUST certification, but that is a separate, non-governmental certification.
- HIPAA is not meant to be a one-time effort. To become HIPAA compliant requires repeated self-assessments and sustained effort over time. It’s not something that can be done once, then ignored.
- HIPAA is not meant to be a substitute for IT security. You can be fully compliant with HIPAA, and very insecure. You can also have great security and have many compliance gaps.
The purpose of HIPAA
The purpose of HIPAA is to govern the use and protection of patient data. This is a simple statement, but the devil is in the details. Some of the rules are obvious, some are not obvious, and all of them must be tailored for your organization.
Contact Techumen to understand more about HIPAA and better manage your compliance risks.