Who is HIPAA For?

HIPAA applies to a variety of entities in the healthcare sector, including:

• Covered Entities
  Healthcare providers (such as doctors, clinics, and hospitals), health plans (including health insurance companies and government programs like Medicare and Medicaid), and healthcare clearinghouses.
• Business Associates
  Companies or individuals who perform services for covered entities involving the use or disclosure of PHI, such as billing companies, data storage providers, and IT service providers.
• Workforce Members
  Employees, volunteers, trainees, and other individuals whose conduct in the performance of work is under the direct control of a covered entity or business associate.

HIPAA Security vs. HIPAA Privacy

HIPAA encompasses both security and privacy rules, each addressing different aspects of protecting health information:

• HIPAA Security Rule
  Focuses on protecting electronic personal health information (ePHI) by establishing standards for securing the creation, maintenance, and transmission of ePHI. It requires administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI.
• HIPAA Privacy Rule
  Aims to protect all forms of PHI, whether electronic, paper, or oral. It sets standards for the use and disclosure of PHI and grants individuals rights over their health information, including rights to access and request corrections to their records.

HIPAA Security Controls

Administrative Safeguards

• Security management processes to prevent, detect, contain, and correct security violations.
• Assigned security responsibility for overseeing the development and implementation of the security policies.
• Workforce security to ensure only authorized personnel have access to ePHI.
• Information access management to implement policies and procedures for authorizing access to ePHI.
• Security awareness and training programs for all workforce members.
• Security incident procedures for responding to and reporting security incidents.
• Contingency planning to ensure the availability of ePHI during emergencies.
• Evaluation procedures to periodically assess the security measures.

Physical Safeguards

• Facility access controls to limit physical access to electronic information systems and the facilities in which they are housed.
• Workstation use policies to specify proper functions and physical attributes of workstations.
• Workstation security measures to restrict access to authorized users.
• Device and media controls to govern the receipt, removal, and disposal of hardware and electronic media containing ePHI.

Technical Safeguards

• Access controls to allow only authorized persons to access ePHI.
• Audit controls to record and examine activity in information systems containing ePHI.
• Integrity controls to protect ePHI from improper alteration or destruction.
• Person or entity authentication to verify that persons seeking access to ePHI are who they claim to be.
• Transmission security measures to protect ePHI transmitted over electronic networks.

Organizational Requirements

• Business Associate Contracts to ensure that business associates comply with HIPAA requirements.
• Group Health Plan Requirements for group health plans to implement safeguards for ePHI.

Policies and Procedures

• Documentation of policies and procedures implemented to comply with HIPAA standards.
• Regular updates to policies and procedures to reflect changes in law, technology, and business practices.

Incident Response and Reporting

• Procedures for identifying, responding to, and reporting security incidents.
• Documentation and mitigation of incidents, including breach notifications when required.

HIPAA Privacy Controls

Privacy

• Regulates how health information can be used and disclosed.
• Requires patient consent for disclosures outside of treatment, payment, and healthcare operations.
• Grants individuals rights to access, amend, and obtain an accounting of disclosures of their PHI.

Breach

• Defines requirements for breach notifications in case of unauthorized disclosure of PHI.
• Requires covered entities to notify affected individuals, the HHS, and, in some cases, the media.
• Specifies timelines and content for breach notifications.