The key HIPAA terms and definitions you need to know.
Ensuring that patient information is safeguarded and personal health data remains confidential is a priority for all healthcare companies. HIPAA (Health Insurance Portability and Accountability Act) seeks to address this priority by establishing standards for how healthcare providers, insurance companies, and other entities handle protected health information (PHI).
The array of terms and definitions related to HIPAA can often be hard to get your head around. In this article, we explain the key HIPAA terms and definitions you need to know.
Key HIPAA terms and definitons
HIPAA Compliance
The first thing to know is that HIPAA is not an audit standard, it is a US law enacted that sets the guidelines and requirements for protecting sensitive patient health information. Importantly, HIPAA applies to both physical and electronic records.
However, while HIPAA itself is not an audit standard, it does require organizations to implement certain safeguards, policies and procedures that can be audited to ensure compliance.
PHI (Protected Health Information):
PHI refers to any information about a patient's health status, healthcare services, or payment for healthcare that can be linked to an individual. PHI is protected under HIPAA which mandates strict safeguards to ensure its privacy and security.
HIPAA Covered Entities and Business Associates
A key consideration to determine the scope of your HIPAA requirements is to determine whether your organization is a Covered Entity and Business Associate:
Covered Entity:
- Covered entities under HIPAA directly handle or process protected health information (PHI) as part of their professional operations.
- The three main types are:
- Healthcare Providers: Hospitals, doctors, clinics, dentists, pharmacies, etc.
- Health Plans: Health insurers, HMOs, government health programs like Medicare and Medicaid.
- Healthcare Clearinghouses: Organizations that process nonstandard health information into a standard format.
Business Associate:
- A business associate under HIPAA is an entity that performs functions or activities on behalf of a covered entity (such as healthcare providers, health plans, or healthcare clearinghouses) involving the use or disclosure of protected health information (PHI).
- Examples of business associates include:
- Third-party IT providers that manage or store PHI.
- Cloud storage providers that store healthcare data.
- Billing companies that handle patient information for processing claims.
- Legal firms providing legal services that involve access to PHI.
- EHR (Electronic Health Record) providers managing patient data systems.
- Data analysts that process healthcare information to provide insights or reports.
- Consultants offering services like audits or compliance assessments that involve PHI access.
HIPAA Rules:
There are several key rules within HIPAA that outline how healthcare organizations and business associates must handle protected health information (PHI). Here is a short summary of each:
- Privacy Rule: protects patient privacy and sets guidelines for PHI use and disclosure.
- Security Rule: secures electronic PHI with administrative, physical and technical safeguards.
- Breach Notification Rule: mandates notification procedures in case of a data breach.
- Enforcement Rule: imposes penalties for non-compliance with HIPAA.
- Omnibus Rule: expands HIPAA responsibilities to business associates and strengthens patient rights.
- Transaction and Code Set Rules: standardized electronic transactions in healthcare.
What's next?
Once you have gained an understanding of the key terms and definitions outlined in this article, the next question is - what are the key steps required to begin your HIPAA compliance journey?
To answer this question and for information on how AssuranceLab can assist with your HIPAA auditing requirements, check out our article on getting started with HIPAA.
Alternatively, get in contact with us directly and let our expert auditors guide you through the process to achieve HIPAA compliance for your organisation.