At the most basic level, protected health information refers to personal health information and the protections established by the Health Insurance Portability and Accountability Act of 1996 (HIPAA for short). HIPAA, along with the associated Privacy and Security Rules, provides federal protections governing personal health information that is held and managed by ‘covered entities, as well as providing numerous rights regarding access or disclosure of said information. Some examples of these protections include the legally enforced right to see and receive copies of any health information held by health providers or health plans, as well as any health services or health plan-related billing record, including enrollment, payments, claims adjudication, and more.
While HIPAA provides high-level federal protections for your protected health information, and the management of said data, the Privacy Rule provides the direct rules that enforce your rights over your personal health information, as well as setting rules and limits on disclosure of this information. Individuals have the right to access this data for as long as the covered entity stores said information.
While the length of retention is not directly covered by HIPAA, records relating to the storage and maintenance of personal health information, the safeguards in place to protect it, and other auditable records related to compliance must be stored for 6 years. As for the protected health information itself, retention is governed at a State level, but on average, is about 10 years.
The Privacy Rule protects your access to numerous types of records, including medical and billing records, health plan enrollment, claims adjudication, payments, and any associated information that is used to make decisions about the patient. In other words, the right to access is very broad and includes medical images, x-rays, wellness, and disease management program files, clinical notes, and more. A covered entity is not required to create new information in response to a request but must provide anything already in existence that fits these criteria.
There are some notable exceptions to the data that must be provided to the patient. For instance, while any diagnoses or prescriptions and such information must be provided by a mental health practitioner, psychotherapy notes (ie the personal medical notes of the mental health practitioner) would not be disclosed. In addition, information that is not used to make decisions about a patient’s direct care is not covered. For example, quality assessments, patient safety activity records, business planning records, peer reviews, and other such information that may include patient data, but is used to improve customer service or generate hospital policies would not need to be included in a patient’s request for medical records.
Much like a jacuzzi is a hot tub, but not all hot tubs are jacuzzis, ePHI (electronic protected health information) is a subset of PHI (Protected Health Information). It consists of all individually identifiable personal information created, received, sent, or maintained by a covered entity. HIPAA’s Security Rule protects this subset of protected health information.
The Security Rule states that covered entities and business associates must:
HIPAA was a response to the changing landscape of medical and health insurance information, and that technology had made it even easier to transfer and share records, leading to the ever-increasing chance of mishandling or misuse. Electronic health records and the Security Rule are a primary part of the reason HIPAA was conceived. It is ePHI (electronic protected health information) that is at the heart of HIPAA because it is electronic records that are the reason medical information has become so easy to share, misuse, corrupt, or mishandling. With new technology, wrongful dissemination of information has become much too easy.
If in any way your organization touches a person’s medical histories, medical billing records, or any other health data as part of your business, perhaps as a healthcare provider or health plan provider, you are considered either a Covered Entity, or a Business Associate, depending on the access you have, or the purpose for which you have access.
If you are a healthcare provider or a health insurance provider, or another organization in the healthcare industry that has direct access to personal health information or adds to a client’s healthcare information directly, you fall under the category of ‘Covered Entities’. When health information can be directly attributed to your organization or is a primary part of what your organization handles or does, you are the focal point of responsibility for HIPAA compliance and rules.
As explained on HHS.gov, examples of covered entities governed by HIPAA rules include:
Health Providers, including:
Health Plans, including:
Health Care Clearinghouses – entities that process non-standard ePHI, health information into standard electronic format.
If a secondary organization requires access to personal and protected health information to assist a covered entity in performing its business activities, that organization must enter into a business associate agreement with the covered entity. The HIPAA-covered entity is responsible for ensuring that the business associate (BA) has physical safeguards and digital protections in place, as well as all employees trained in HIPAA-compliant best practices and that the business associate relationship is enforced in writing. This business associate agreement must establish specifically what the BA will be doing with the protected health information and limit the activities to those prescribed. The BA is equally responsible for protecting the PHI it uses as the covered entity, and must, in turn, ensure that if it shares this information for any business purpose, it in turn has a business associate agreement in place with that entity, and the same provisions are followed.
Business associates are equally responsible for protecting the PHI it uses as the covered entity and must in turn ensure that if it shares this information for any business purpose, it, in turn, has a business associate agreement in place with that entity, and the same provisions are followed. In other words, any subcontractor must, in turn, have a written agreement, and in turn becomes another business associate, with the responsibilities this entails, forming a chain of custody.
You may also be interested in the types of business associates in software development.
With the advent of many health-related mobile applications, the definition of what constitutes protected health information is changing yet again. Clinics and Doctor’s offices are making strong use of applications to track the physical activity of clients, as well as things like heart rates and other factors. Healthcare professionals have access to such health apps’ data to make diagnoses, to track physical fitness plans or physical therapy requirements. Insurance companies too may occasionally use such applications and information regarding physical activity or indicators of heart health for the purpose of determining rates. This means that geographical identifiers can now fall into the category of ePHI (electronic protected health information), or simply protected health information if transferred to hard copy.
But it is not simply mobile applications that are considered tracking technology. Tracking technology consists of any script or code that gathers information about an individual when they interact with a website or mobile app. If individually identifiable health information is shared on such an app or site in any fashion, HIPAA compliance must be established.
Because what is considered healthcare data is changing, it is important to establish that HIPAA protections are broad enough to cover this type of ePHI data as well. Because the mobile devices these applications are tied to tend to have biometric data, payment data, and associated identity information, and the applications themselves have individually identifiable health information, such applications must be designed in a way to insulate this data, and best practices established when it comes to disclosing or sharing safely (ie only with the client.) Even if such information is not directly medical or health-related, it still can be misused in any number of ways and requires safeguards to be in place. In other words, all of the requirements of the HIPAA security rule must be met by the health and human services that use this data, and the development companies creating the applications alike.
HIPAA regulations are not simply about the responsibility to protect health information, but also about enforcement and penalties applicable if these responsibilities are not taken seriously. Breaches and other HIPAA violations are enforced by the OCR (Office of Civil Rights), which has investigated over 300 thousand complaints since the implementation of the Privacy Rule in 2003. Over 133 million in civil money fines have been leveraged in that time frame. In other words, HIPAA has teeth and should be ignored at your own peril.
If you have reason to believe any of the above-protected health information could reasonably pass through your organization, you should immediately look to become HIPAA compliant, as well as require business associate agreements of any contractors that may have any level of access, including any software developers that might be designing an application for you. Flatirons is HIPAA compliant and certified through AccountableHQ. We hire only top-tier talent and can help you by providing a full team under your management, individual resources, or managing the project on your behalf. Our experienced team is ready and waiting to help you in any way you need, ensuring HIPAA compliance throughout the creation of your application.
Flatirons helps healthcare organizations create compliant and tailored software solutions.Learn more