The HIPAA (Health Insurance Portability and Accountability Act of 1996) is a Federal law regulating privacy of individual health information. The Department of Health and Human Services (DHHS), the agency responsible for HIPAA enforcement, provides a set of simple flow charts to help determine if your business is a “covered entity," an entity which must adhere to HIPAA standards and guidelines. A sample chart is shown below. In general, you’re a covered entity if you meet one of the following criteria:
- You are a health care provider that conducts certain transactions in electronic form
- You are a health care clearinghouse
- You are a health plan.
The HIPAA seeks to protect individual privacy by regulating both the release of non-electronic and electronic Protected Health Information (PHI). PHI is defined as,
“Individually identifiable health information" is information, including demographic data, that relates to
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number) (Summary of the HIPAA Privacy Rule, DHHS, 2003).
Standards and guidelines for compliance fall into one of two rules: the Privacy Rule and the Security Rule. They clearly define what is expected of covered entities to protect the confidentiality, integrity, and availability of PHI. If you’re a covered entity, NIST SP 800-66 is a good resource for understanding required information security controls.