Get certified in HIPAA for Leaders for just $49.95.
To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video
You may be asking yourself, so what is HIPAA? The federal law known as HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. Congress passed this landmark law to provide the following. Portability of insurance. Protection and privacy of healthcare information. Standardization and efficiency in health care data. And prevention of discrimination and fraud. HIPAA gives the U.S. Department of Health and Human Services the responsibility of adopting rules to help individuals keep their personal health information private. HIPAA protects from unauthorized disclosure of any protected health information that pertains to the patient. It establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form. In addition to privacy and security, administrative provisions were also included in HIPAA to improve the efficiency and effectiveness of the health care system. These include specific transaction standards and code sets. National standard and unique identifiers, and Data Security and electronic signatures. HIPAA compliance is highly dependent on the size, function, administration, and type of entity or business associate. Therefore, this training module is not intended to be a complete or comprehensive guide to HIPAA compliance. Entities and business associates regulated by the Privacy and Security Rules are obligated to comply with all of their federal and state requirements and should not rely on this training alone as a source of legal information or advice. In addition to ensure compliance with HIPAA, covered entities and business associates should regularly perform a risk assessment to track access to protected your health information and periodically evaluate the effectiveness of security measures put in place. They should also regularly re-evaluate potential risks to protected health information. Who is mandated to follow HIPAA requirements? The HIPAA law applies directly to these groups, called covered entities and business associates. They are Healthcare Providers, Health Plans, and Healthcare clearinghouses, technology companies and cloud services providers or anyone that has access to personal health information. So what is a Health Care Provider? Well, it's any provider of medical or other health services, or any organization or person who transmits any health information in electronic form. This includes organizations and individuals that provide bills or are paid in connection with services in the normal course of business. Some common examples include: physicians, dentists, optometrists, nurses, mental health providers, radiology centers, chiropractors, psychologists, pharmacies, durable medical equipment providers, hospitals, ambulance companies, home health workers, and social workers. A Health Plan is any individual or group plan that provides or pays the cost of healthcare such as an insurance company, Medicare, or Medicaid. A Health Care Clearinghouse is a public or private entity that transforms healthcare transactions from one form to another into a required format. An example of this would be an outside billing service that ensures all information transferred between a doctor's office and an insurance company complies with HIPAA. HIPAA applies to employers only to the extent that they somehow operate in one or more of these three groups. The same standards apply to covered entities in both the public and private sectors. If a company offers health care and treatment to employees on-site, such as an on-site clinic, the employer would be a covered entity and be required to follow HIPAA requirements. So what is a Business Associate? A business associate is any company or individual with access to Protected Health Information, or ePHI. A Business Associate is required to have a risk assessment, training, policies and procedures just like a covered entity. Some examples of a business associate are IT vendors, laboratories, call centers, court reporters, cloud providers, legal services, suppliers and manufacturers with access to PHI or ePHI. Business associates are required to protect PHI at all times just like a covered entity. They are required to notify covered entities of any potential and active data breaches. Business associates must comply with HIPAA requirements by signing a contractual agreement with the covered entity. This is called a Business Associate Agreement or BAA. A BAA states that the business associate will only use the protected health information for proper purposes and will safeguard it from misuse. A Business Associate must also comply with all security requirements of the HIPAA regulations that will ensure administrative, physical and technical safeguards are in place to protect PHI. If a business associate violates HIPAA, they are not only in violation of the contract with the covered entity, but in violation with HIPAA itself. They will be held accountable for the penalties for both types of violations. If a business associate uses subcontractors, the HIPAA law requires contractual agreements between them. The subcontractor is held to the same HIPAA requirements in the use of PHI. Thank you for taking the time today to educate yourself on just what is HIPAA.
In this lesson, you'll learn what HIPAA is, the role it plays in healthcare, and who is mandated to follow its requirements, along with relevant real-world examples.
HIPAA is an acronym that stands for – Health Insurance Portability and Accountability Act of 1996. Congress passed this landmark act to provide the following:
HIPAA gives the U.S. Department of Health and Human Services the responsibility of adopting rules to help individuals and companies keep important health information private.
HIPAA protects against unauthorized disclosure of any protected health information that pertains to healthcare patients.
HIPAA establishes a national set of security standards for protecting certain health information that is held or transferred electronically. In addition to privacy and security, administrative provisions were also included in HIPAA to improve the efficiency and effectiveness of the healthcare system.
These provisions include:
Pro Tip #1: HIPAA compliance is highly dependent on the size, function, administration, and type of entity or business association. Therefore, this training module is not intended to be a comprehensive HIPAA compliance guide.
Warning: Entities and business associates that are regulated by HIPAA's privacy and security rules are obligated to comply with all federal and state requirements and should not rely on this training alone as a source of legal information or advice. In addition, to ensure compliance with HIPAA, covered entities and business associates should regularly perform a risk assessment to track access to PHI and periodically evaluate the effectiveness and security measures that have been put into place.
HIPAA law applies directly to two particular groups known as covered entities and business associates, and these can include:
A healthcare provider is any provider of medical or other health services or any organization or person who transmits health information in electronic form. This includes organizations and individuals who provide billing services or are paid in connection to services in the course of doing business. Common examples include:
A health plan is any individual or group plan that provides or pays the cost of healthcare services, such as an HMO, an insurance company, and Medicaid and Medicare.
A healthcare clearinghouse is a public or private entity that processes healthcare transactions from one form to another in a required format. An example would be a third-party billing service that ensures that all information between a doctor's office and an insurance company complies with all HIPAA requirements.
Pro Tip #2: HIPAA applies to employers only to the extent that they operate in one of these three groups. Furthermore, the same standards apply to covered entities in both the public and private sectors.
If a company offered healthcare services and treatment to employees onsite – like an onsite clinic – the employer would be a covered entity and would be required to follow all HIPAA requirements.
A business associate is any company or individual with direct or incidental access to PHI or ePHI. Business associates are required to have in place:
Examples of business associates include:
Business associates have the same requirements as covered entities to protect PHI and are required to notify covered entities of any potential and/or active data breaches. Business associates must also comply with HIPAA requirements by signing a contractual agreement with the covered entity – known as a Business Associate Agreement (BAA).
The BAA states that a business associate will only use protected health information for proper purposes and will safeguard it from misuse. Business associates must also comply with all HIPAA security requirements and will ensure administrative, physical, and technological safeguards are in place.
If a business associate violates the BAA, they will be in violation of the contract with the covered entity and in violation with HIPAA. In which case, the business associate will be held accountable for all penalties from both violations.
Pro Tip #3: If a business associate uses subcontractors, HIPAA requires contractual agreements between them. Subcontractors are held to the same HIPAA requirements when it comes to protected health information.
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996 (or simply the HIPAA Act). It is a United States privacy law with the intention to protect patient medical information and ensure confidential communication between patients and medical professionals.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal U.S. law designed to provide privacy standards to protect sensitive patient health information provided to health insurers, billing companies, doctors, hospitals and other health care providers. The act is meant to ensure this sensitive information is not disclosed without the patient's consent or knowledge.