What does HIPAA require of you: A bird’s eye view


So you know you are regulated by HIPAA. But in a broad sense, what must your organization do to be in compliance? First and foremost, you need to understand what HIPAA and the HITECH Act are regulating. HIPAA and the HITECH Act are regulating and enforcing the security of an individual patient’s health information. The specific information being regulated is known as Protected Health Information (PHI), also known sometimes as Individually Identifiable Health Information (IIHI), and its subset, electronic Protected Health Information (ePHI). ePHI is simply PHI stored, maintained, etc. in digital form. These are defined as any data that can individually identify a patient. That means anything that can reasonably ID a patient. Examples include SSN, medical ID, age, vmail, URLs, driver’s license number, license plate numbers, photos, names of relatives, identified test results, telephone numbers, email and postal addresses, and medical images. As can be seen, this sweeps a large swath of data under the umbrella of protected information.

So, what does HIPAA require of Covered Entities and Business Associates?

First, it is important to recognize that you have a requirement to know if you are regulated by HIPAA. Lack of awareness will not be a mitigating circumstance if the OCR finds you are in violation or non-compliant.

Second, HIPAA requires that you put safeguards into place to protect all possible areas of data leakage. For example, several organizations have been fined heavily for lost or stolen laptops which contained thousands of PHIs. The organizations had failed to put procedures in place to ensure that data was encrypted and therefore inaccessible. Third, control access to all data. To give an extreme example, this author was at the window of a Medical Doctor’s office signing in at the window, when I heard a practitioner playing back messages from patients who had left voicemails listing, as requested, their name, birthdate and specifics about their condition/concern. That was both an “ewww” moment and a major HIPAA violation. Fourth, have signed Business Associate agreements. And fifth, train, train, train. All the compliance plans in the world aren’t of use if every employee has not been fully trained on your compliance procedures. HIPAA compliance isn’t a binder on a shelf written by a lawyer. HIPAA compliance derives from the the ongoing minute-to-minute activities of everyone in the organization.