What is HIPAA?
HIPAA, an acronym for, Health Insurance Portability and Accountability Act, is a law passed by US Congress in 1996 with two main purposes: one, to enable American workers to retain health insurance coverage when changing or losing their job (the portability part), and two, to ensure the protection and confidentiality of health information (the accountability part).
To achieve accountability among health care providers (e.g. doctors, dentists, etc.), health plan and health insurance organizations, and their associates (e.g. clearinghouses and cloud billing/storage providers), HIPAA defines three key rules:
- Privacy Rule: A set of privacy standards which dictate when PHI (Protected Health Information) may be used and disclosed.
- Security Rule: A set of safeguards that must be implemented to ensure the integrity, confidentiality, and availability of ePHI (Electronic Protected Health Information). These include risk mitigation strategies with the use of IT security controls, physical security controls, and administrative controls.
- Breach Notification Rule: A set of requirements on who to notify in the event of a security breach, and how. Typically, entities are required to notify all affected individuals and the US Department of Health and Human Services (HHS). In certain cases, media notification is also required.
In addition to mandating standardized mechanisms for electronic data interchange (EDI), HIPAA also requires that health care entities – including individuals, employers, health plans, and health care providers – be assigned a unique 10-digit identifier number, called an NPI (National Provider Identifier).