Lesson 01beginnerKnowledge

What is HIPAA?

Covered entities, business associates, and what PHI actually means.

Overview

HIPAA is widely referenced but frequently misunderstood. Before you can apply any of its rules, you need to know who it applies to, what information it protects, and how the law is structured. Answer the five questions below precisely. Vague or generic answers will not score well.

Read before you answer

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a US federal law that establishes national standards to protect individuals' medical records and other personally identifiable health information. It applies to "covered entities" — health plans (insurance companies, employer-sponsored health plans, Medicare, Medicaid), healthcare clearinghouses (organisations that process health information between non-standard and standard formats), and healthcare providers (hospitals, clinics, physicians, pharmacies, nursing homes) that transmit health information electronically in connection with covered transactions. HIPAA also applies to "business associates" — any organisation that performs functions or activities on behalf of a covered entity that involve creating, receiving, maintaining, or transmitting protected health information (PHI). Cloud storage providers, billing companies, EHR vendors, and legal firms handling patient records are all examples of business associates.

HIPAA has three main rules. The Privacy Rule (45 CFR Part 164, Subpart E) establishes standards for how PHI may be used and disclosed, and gives patients rights over their own health information. The Security Rule (45 CFR Part 164, Subpart C) applies specifically to electronic PHI (ePHI) and requires covered entities and business associates to implement administrative, physical, and technical safeguards to ensure its confidentiality, integrity, and availability. The Breach Notification Rule (45 CFR Part 164, Subpart D) requires covered entities to notify affected individuals, the HHS, and in some cases the media when a breach of unsecured PHI occurs.

Protected Health Information (PHI) is individually identifiable health information that is held or transmitted by a covered entity or business associate. It includes any information that relates to an individual's past, present, or future physical or mental health condition, the provision of healthcare to them, or the payment for that healthcare — and which identifies or could identify the individual. HIPAA defines 18 identifiers whose presence in a dataset makes it PHI: name, geographic data smaller than state, dates (other than year) related to the individual, phone numbers, fax numbers, email addresses, Social Security numbers, medical record numbers, health plan beneficiary numbers, account numbers, certificate/licence numbers, vehicle identifiers, device identifiers, URLs, IP addresses, biometric identifiers, full-face photographs, and any other unique identifying number or code.