What is HIPAA Compliance?

“HIPAA” stands for Health Insurance Portability and Accountability Act. This Act was passed in 1996, providing regulatory standards in regards to the use and disclosure of Protected Health Information (“PHI”). It is controlled by the Department of Health and Human Services (HHS).

Hospitals, insurance companies, and all other covered entities must ensure HIPAA compliance to protect the patients' private data. These laws are designed considering the diverse health care market and its requirement for a flexible and comprehensive governing system to cover the variety of uses and disclosures. This article is written to give an insight in regards to HIPPA laws

What is HIPAA Compliance?

1. These are a set of guidelines for the privacy of individually identifiable health information.
2. The rules are introduced by the Department of Health and Human Services ("HHS").
3. The Office for Civil Rights (OCR) governs the implementation and enforcement of these compliances.
4. Designed with the primary motive of protecting health information while permitting the flow of health-related information as required to provide high-quality health care services.
5. It guidelines to be followed by health care providers and others covered under the rules.
6. It defines a limit on the use and release of health records.

What are the HIPAA Privacy Rules?

A summary of HIPAA privacy rules is given below:

Who is covered by the Privacy Rule

It is applicable to health plans, healthcare clearinghouses, and other healthcare providers who deal in electronic form of health information for the transactions for which the Secretary of HHS has adopted standards under HIPAA; these are identified as the "covered entities".

What information is Protected

This rule protects all identifiable health information either held or transmitted by a covered entity/ its business associate (in any form or media), which is in electronic form/ paper/ oral. Such information is said as "protected health information (PHI) as per HIPAA.

Uses and Disclosures General Principle

The primary motive of this rule is to set a guideline for using or disclosing the individual's protected health information by the covered entities. For this purpose, a covered entity may not use/disclose PHI, except,

• As allowed under the Privacy Rule; or
• As per written authorization provided by the individual/ his representative (who is the subject of the information)

Further, disclosures can be made a covered entity only in the following events:

• When HHS undertakes a compliance investigation/ review/ enforcement action
• When access is requested by individuals/ their representatives or accounting of disclosures of their PHI

Permitted Uses and Disclosures

The covered entity is allowed (but not required) to use/ disclose PHI without authorization of an individual for the following purposes:

1. To the individual, unless required for access/ accounting of disclosures;
2. Treatment/ Payment/ Health Care Operations;
3. The occasion to agree or object;
4. In the event of otherwise permitted use and disclosure;
5. For activities in relation to the public interest; and
6. For purposes of research/ public health/ health care operations

The covered entity needs mandatory written authorization by the individual for use/ disclosure of PHI, which is not for treatment/ payment/ health care operations or in any way permitted/ required by the Privacy Rules.