The Health Insurance Portability and Accountability Act (HIPAA) is a U.S. law that sets standards for protecting sensitive health information. It requires healthcare organizations and their partners to safeguard protected health information (PHI) when storing, accessing, transmitting, or sharing it.
Applicability
HIPAA applies to both covered entities and business associates.
- Covered entities include health plans, healthcare clearinghouses, and healthcare providers that process certain healthcare transactions electronically.
- Business associates are individuals or organizations that handle PHI on behalf of a covered entity, such as data storage, file-sharing, and data transmission providers. They may also work with subcontractors that create, receive, maintain, or transmit PHI on their behalf. In these cases, contracts or other formal agreements are required between the parties to ensure PHI is handled in compliance with HIPAA.
Privacy Rule overview
The HIPAA Privacy Rule:
- Requires appropriate safeguards to protect PHI
- Limits how PHI can be used and disclosed
- Gives patients rights over their health information, including the right to access and request corrections to their records
Required safeguards
HIPAA requires organizations to implement administrative, physical, technical, and organizational safeguards to protect PHI. Key requirements include:
- Access control: Technical policies and procedures must be implemented to ensure that only authorized individuals can access PHI.
- Data integrity: PHI must be protected against unauthorized alteration or destruction.
- Encryption: Electronic PHI should be encrypted both during transfer and while stored.
- Business associate agreements: Covered entities and business associates must enter into agreements that define how PHI is protected and processed. These agreements require business associates and their subcontractors to:
- handle PHI in a HIPAA-compliant manner
- use and disclose PHI only as permitted
- report security incidents or breaches that they become aware of
Breach Notification Rule
HIPAA's Breach Notification Rule requires covered entities and business associates to notify affected individuals – and in some cases regulators or the media – if unsecured PHI is exposed in a data breach.
- Unsecured PHI refers to data that has not been protected using technologies that make it unreadable or unusable to unauthorized parties.
- Tresorit helps protect PHI with client-side encryption. Files are encrypted before they leave the user's device, and decryption keys are not accessible in the cloud. This helps prevent unauthorized access to sensitive data, including by Tresorit itself.