What is HIPAA?

HIPAA isn’t hard. It’s just opaque, and the organizational penalties can be high, so people fear it. HIPAA also does not map well to the way people work today. This HIPAA training will make HIPAA relevant and easy to follow.

HIPAA stands for Health Insurance Portability and Accountability Act. It was enacted by Congress in 1996. It went into effect in stages from 2001 to 2006. The intention of HIPAA is to standardize healthcare transactions and to create protections for the use of protected health information (PHI).

At the time it was written, HIPAA was almost exclusively concerned with traditional healthcare organizations - care delivery organizations and health insurance companies. Because HIPAA was focused on data exchange and portability, It also covered healthcare clearinghouses that process and facilitate the exchange of healthcare data.

HIPAA was originally written before the first Internet bubble. Since that time, both the healthcare market and the technology market have changed considerably. As such, HIPAA has been updated, most notably in 2013 with the HIPAA Omnibus Rule, which expanded coverage to service and technology partners of healthcare organizations.

The big example of how HIPAA was expanded is that HIPAA now covers cloud and SaaS providers that have healthcare customers. In a world of APIs, app ecosystems and marketplaces, and data sharing, HIPAA coverage can expand across multiple technology and organizational layers.

Despite this expansion in 2013, traditional healthcare organizations remain the focal point for HIPAA.

Where to focus

For the purposes of this HIPAA training, the area we are focused on is the protection of PHI. When it comes to protecting PHI, the essence of the HIPAA rules can be distilled down into two sections.

1. Privacy. Ensuring access to PHI is only allowed for approved purposes (care delivery and billing are the most common purposes under HIPAA). This is where your privacy policies and procedures come from. This is the when and why of HIPAA.
2. Security. Ensuring best practices to secure processes and technology. This is where your policies and procedures are implemented. This is the how of HIPAA.

HIPAA is really that simple.

When you are uncertain about compliance in any of your day to day work, do not hesitate to reach out to your manager, human resources, compliance people, or data protection officer (if you have one). It is their job, and a requirement of regulation, for them to help you navigate these waters. You are not alone.

Your responsibility, regardless of the functional area in which you work, if you work for an organization that in some way touches PHI, is to make sure you are always focused on protecting PHI from unauthorized access.