HIPAA is a federal law regulating how certain organizations involved in the provision of health care handle and secure health information.
After reading this article you will be able to:
Copy article link
The U.S. Health Insurance Portability and Accountability Act (HIPAA) is a federal law that regulates how health information is handled and secured. HIPAA helps ensure the protection of health information by requiring security controls for electronic health information and mandating privacy practices.
HIPAA impacts two main types of organizations: "covered entities" such as healthcare providers, health plans, and healthcare clearinghouses; and “business associates” of covered entities, such as billing companies, electronic health record (EHR) vendors, consultants, or IT providers.
Protected Health Information (PHI) is any individually identifiable health information relating to the provision of healthcare that covered entities and business associates create, receive, store, or transmit. PHI is a type of personally identifiable information (PII), which is data that can be used to identify an individual.
Below are data fields that may be PHI if processed by a covered entity or business associate and to the extent the data is associated with the provision of healthcare:
One important note is that PHI can occur in multiple forms, from written to oral to electronic data.
Suppose Michael visits a general practitioner for the first time, and the practitioner's office records Michael's name and address, takes his health insurance information, and requests his medical records from his previous provider verbally. All of this written and oral data is considered PHI and must be protected.
Now suppose Michael has a telehealth appointment with this same practitioner the next week. Information about Michael's online activities that reveal details about his telehealth appointment may also be considered PHI, even though it is electronic, rather than a written or oral piece of information.
The HIPAA Privacy Rule requires covered entities and business associates to build in appropriate privacy safeguards and policies to protect PHI. There are strict regulations around what an organization is allowed to do with PHI without an individual’s consent, and the Privacy Rule grants individuals the right to know how their data is being used and/or request corrections.
The HIPAA Security Rule requires administrative, physical, and technical safeguards to appropriately handle PHI electronically, from ensuring secure facility access and device control, designating security personnels, and implementing workforce training, to conducting risk analysis.
The HIPAA Security and Privacy Rules are important in assuring that individuals’ health information is properly protected while allowing for the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being. These rules are particularly important given the diversity of the healthcare marketplace, the variety of uses and disclosures that need to be addressed, and the influx of innovative new technologies in the healthcare field, including telehealth, remote therapy, electronic health records, device-based health monitoring, and AI-assisted care. In particular, each of these new innovative technologies come with their own unique security and privacy challenges that organizations are required to address under the HIPAA Security and Privacy Rules.
HIPAA violations can lead to hefty penalties and legal action. Some of the most common violations include:
Imagine that Michael’s doctor left the patient form with Michael’s name, date of birth, Social Security number, and medical concerns in the waiting room for 24 hours, where it could be accessed by any patient or staff member. Then, imagine that the doctor uploaded Michael’s health information to an online portal, which was not password protected. Both situations are examples of HIPAA compliance violations.
Penalties for HIPAA noncompliance are significant, and can range from $100 per violation to $1.5 million per provision annually. The Office for Civil Rights (OCR) categorizes HIPAA violations based on severity and willful neglect.
Cloud providers must enter a HIPAA-compliant business associate agreement (BAA) with their customers in order to create, receive, maintain, or transmit PHI. A BAA requires the cloud service provider to provide appropriate protections for PHI, and to conduct risk analyses to identify potential vulnerabilities. It may also include specific instructions about data availability, backups, disaster recovery, and data retention.
Cloud service providers are also liable for any unauthorized disclosures of PHI, or failure to protect PHI or notify relevant authorities of a data breach.
Here are six recommendations for ensuring HIPAA compliance:
Cloudflare provides cloud-based network, application and enterprise security services that can help organizations meet the stringent technical requirements of the HIPAA Security Rule and avoid inadvertent disclosure or misuse of PHI in violation of the HIPAA Privacy Rule. These services include the following:
Cloudflare’s products also comply with industry-recognized security and privacy standards, including ISO 27001, ISO 27701, SOC 2, and the EU Cloud Code of Conduct. While HIPAA does not provide for formal validation of compliance, Cloudflare’s network, management infrastructure, and processes are consistent with the HIPAA Security and Privacy Rules and related regulations.
Learn more about Cloudflare and US privacy law here.