Crash Course in HIPAA, Protected Health Information, and Business Associate Agreements

If you know about HIPAA, you may know of the different and complex rules associated with it. For those of us who are unfamiliar with certain terms or need a refresher course, we’ve put together definitions and examples to help you determine whether your organization is considered a covered entity or business associate, what defines PHI and PII, and what steps you can take to avoid penalties and stay HIPAA compliant.

What is HIPAA?

HIPAA – Health Insurance Portability and Accountability Act, passed in 1996, was created to protect patient privacy. As an extension to this act, the HIPAA Privacy & Security Rule was passed to protect the electronic health information that is created, received, used, or maintained by a covered entity.  It is required by law that both covered entities and business associates be trained in security awareness and the steps that should be taken when transmitting electronic Protected Health Information (“PHI”) or sensitive Personally Identifiable Information (“PII”).

 

How PII & PHI Overlap

In general, PII can include a person’s place of birth, date of birth, SSNs, mother’s maiden name, biometric information, personal financial information, passport numbers, credit card numbers, or criminal history. When associated to an individual, it is considered sensitive and must be protected when being electronically transmitted. Phone numbers, addresses, email addresses, resumes that don’t contain SSNs, or general background information about individuals but are not linked to or associated with an individual may be transmitted electronically without protection.

PHI includes sensitive details about a patient like his/her birthdate, a history of medical conditions and health insurance claims. Tracking this information helps with doctors further treating and understanding patient health.

In both cases, organizations who are responsible for the transmittal of this sensitive information must take the correct steps to ensure it cannot be intercepted by the wrong entity.

 

HIPAA Compliance & Enforcement

HIPAA compliance is enforced by the Department of Health & Human Services’ Office for Civil Rights (“OCR”) and sometimes they work jointly with the Department of Justice for criminal violations of HIPAA. There are several ways the OCR enforces the HIPAA Privacy & Security Rule including investigating complaints, conducting compliance reviews, and performing education and outreach to foster compliance with the Rules’ requirements.

If a complaint is filed against your business, OCR will attempt to resolve the case by obtaining voluntary compliance, corrective action, and/or putting a resolution agreement in place after thorough investigation. In worst cases like data breaches due to a failure of implementation of safeguards, like data encryption, the OCR could impose extreme civil money penalties.

In June of 2018, the University of Texas MD Anderson Cancer Center was assessed $4.3 million in penalties for security breaches and associated HIPAA violations. Unfortunately, unencrypted devices containing thousands of patients’ personal information were stolen from an MD Anderson employee.  Moreover, there has been a proliferation of PHI regulation in the past year. Without the use of email or device encryption, your business could be liable for exposing PHI and in turn, be assessed for steep penalties like MD Anderson.

 

Is my organization a HIPAA-covered entity?

Covered entities are defined as 1) Health Plans, 2) Health Care Clearinghouses, and 3) Health Care Providers who electronically transmit any health information in connection with transactions. These transactions could be billing and payment for services or insurance coverage. Covered entities can be institutions, organizations, or persons. A few examples include: hospitals, academic medical centers, physicians, and other health care providers, health care insurance companies, HMOs, and government programs that pay for health care like Medicare, Medicaid, and veterans health care programs.

 

Am I considered a Business Associate (“BA”)?

A business associate is a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. A member of the covered entity’s workforce is not a business associate. A few examples include: medical billing companies, collection agencies, third party administrators that assist a health plan with claims processing, and a CPA firm whose accounting services are directed towards health care providers.

 

Why is a business associate agreement (“BAA”) required?

Since business associates have some type of access to electronic protected health information from covered entities, a legal contract that describes adherence to HIPAA is necessary. This contract must also define the services the BA is providing to the covered entity. In recent years, settlements of $700,000-$1.5 million by the Health and Human Services Office of Civil Rights were issued to covered entities who failed to enter a BAA with their business associate before disclosing PHI.

If any of these terms and definitions apply to your business or practice, we advise the following for you to maintain compliance with HIPAA, avoid security breaches, and avoid having to pay steep penalties:

  1. Covered entities must have a HIPAA compliant BAA with all third-party vendors who maintain, transmit, or receive PHI/ePHI on its behalf
  2. The BAA should be executed before disclosure of PHI/ePHI to the BA
  3. Encrypt your emails and devices for any potential security breaches
  4. Train employees on HIPAA compliance

To stay in touch with us for tips, news, and updates, subscribe to our blog by filling out the email field on the right side panel!

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>