What is the HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) was issued by the USA government and imposed industry-wide standards to regulate the health insurance coverage, reduce health care fraud and abuse, and >to prescribe the confidential handling of protected health information (PHI).
The HIPAA Privacy regulations require health care providers, oganisations and their business associates to ensure the confidentality and security of PHI while transferring, receiving, handling or sharing.
Scope - Covered Entities and Business Associates
The HIPAA Privacy Rule applies to „covered entities” and their „business associates”.
- „Covered entities” are health plans, health care clearinghouses and those health care providers that conduct certain health care transactions electronically.
- A „business associate” is a person who performs certain services for a covered entity that involve the use or disclosure of protected health information, for example data transmission services.
The chain can be extended, which means a covered entity may be a business associate of another covered entity, as well as a business associate can engage subcontractor that creates, receives, maintains, or transmits PHI on behalf of the business associate. In these cases there must be a contract or other arrangement in place (for more details please see section 4).
HIPAA Privacy Rule - overview
The HIPAA Privacy Rule, in particular:
- Requires appropriate safeguards to protect the privacy of personal health information,
- Sets limits and conditions on the uses and disclosures of such data,
- Provides patients rights over their health information, such the right to examine or obtain a copy of their health records, and to request corrections.
Required safeguards
According to the regulation, safeguards must be implemented in an administrative, physical, technical and organizational manner as well.
- Access control: Technical policies and procedures must be implemented in order to allow access only to authorized persons.
- Integrity: PHI must be protected from improper alteration or destruction.
- Encryption and decryption of electronic protected health information.
- Business associate contracts: Covered entities (or business associates) that engage business associates to work on their behalf must have contracts in place to ensure that their business associates safeguard protected health information, and use and disclose the information only as permitted or required by the Privacy Rule. In the contract, the business associate guarantees that it and its subcontractors, if any, will process PHI in a HIPAA compliant manner, and report to the covered entity any security incident of which it becomes aware.
Breach Notification Rule
As part of the HIPAA, the Breach Notification Rule requires the notification of individuals, the Secretary and in serious cases even the media in the case of breach of unsecured PHI. Unsecured PHI means the lack of technologies that would have allowed PHI to be rendered unusable, unreadable, or indecipherable to unauthorized individuals. For example, Tresorit’s client-side encryption makes the covered entity files secure before they leave the covered entity location and does not permit decryption in the cloud in order to prevent access to encrypted data by unauthorized persons, even by Tresorit.
Still have questions left? Drop us a line