It goes without saying that if you have ever dealt with or thought about HIPAA, you have figured out there is a lot of jargon that goes along with it. The following article will discuss some HIPAA basics.
The Health Insurance Portability and Accountability Act – simply known as HIPAA – protects individually identifiable health information (IIHI). There are three requirements to consider information to be IIHI:
- The information is created by a health care provider, health plan, employer, health care clearinghouse, or other covered entities (we covered this term here in What’s Hip with HIPAA? Covered Entities)
- The information concerns a person’s physical or mental health, any health care the person receives, or payment for their health care.
- The information is identifiable, i.e., where the person’s name, address, photograph, and other personal, identifiable details are connected to the information.
When IIHI is maintained or transmitted in electronic form, it is called protected health information (PHI). HIPAA created certain privacy and data security rules to regulate the collection, use, disclosure, and protection of PHI.
Generally, covered entities, such as health care providers, must only collect, use, and disclose the minimum amount of PHI necessary to accomplish a transaction. The HIPAA Transactions Rule mandates compliance with uniform standards for some electronic transactions using PHI. Covered entities must also create data security procedures, policies, and protocols to protect PHI. Both covered entities and business associates (we covered this term here What’s Hip with HIPAA? Covered Entities and What’s Hip with HIPAA? Business Associate Agreements) must notify individuals if there is a security breach.
Violations of HIPAA include both civil and criminal penalties. Civil penalties may range from $100 to $1.5 million for each type of violation. Criminal sanctions can include up to $250,000 and 10 years in prison, depending on the circumstances. However, multiple violations have the potential to drive penalties much, much higher – as demonstrated in this $5.5 million settlement case.