What does HIPAA require of you: A bird’s eye view

So you know you are regulated by HIPAA. But in a broad sense, what must your organization do to be in compliance? First and foremost, you need to understand what HIPAA and the HITECH Act are regulating. HIPAA and the HITECH Act are regulating and enforcing the security of an individual patient’s health information. The specific information being regulated is known as Protected Health Information (PHI), also known sometimes as Individually Identifiable Health Information (IIHI), and its subset, electronic Protected Health Information (ePHI). ePHI is simply PHI stored, maintained, etc. in digital form. These are defined as any data that can individually identify a patient. That means anything that can reasonably ID a patient.

Examples include:

• Full name or last name and initial(s)
• Geographical identifiers smaller than a state, except the initial three digits of a zip code, provided the combination of all zip codes starting with those three digits. When the initial three digits of a zip code contains 20,000 or fewer people it is changed to 000
• Dates directly related to an individual, other than year
• Phone Numbers
• Fax numbers
• Email addresses
• Social Security numbers
• Medical record numbers
• Health insurance beneficiary numbers
• Account numbers
• Certificate/license numbers
• Vehicle identifiers
• Device identifiers and serial numbers;
• Web Uniform Resource Locators (URLs)
• IP addresses
• Biometric identifiers, including finger, retinal and voice prints
• Full face photographic images and any comparable images
• Any other unique identifying number, characteristic, or code except the unique code assigned by the investigator to code the data

As can be seen, this sweeps a large swath of data under the umbrella of protected information.

Requirements

So, what does HIPAA require of Covered Entities and Business Associates?

First, it is important to recognize that you have a requirement to know if you are regulated by HIPAA. Lack of awareness will not be a mitigating circumstance if the OCR finds you are in violation or non-compliant.

Second, HIPAA requires that you put safeguards into place to protect all possible areas of data leakage. For example, several organizations have been fined heavily for lost or stolen laptops which contained thousands of PHIs. The organizations had failed to put procedures in place to ensure that data was encrypted and therefore inaccessible. Third, control access to all data. To give an extreme example, this author was at the window of a Medical Doctor’s office signing in at the window, when I heard a practitioner playing back messages from patients who had left voicemails listing, as requested, their name, birthdate and specifics about their condition/concern. That was both an “ewww” moment and a major HIPAA violation. Fourth, have signed Business Associate agreements. And fifth, train, train, train. All the compliance plans in the world aren’t of use if every employee has not been fully trained on your compliance procedures. HIPAA compliance isn’t a binder on a shelf written by a lawyer. HIPAA compliance derives from the the ongoing minute-to-minute activities of everyone in the organization.