Healthcare Technology Featured Article

December 28, 2020

What is HIPAA Compliance: Understanding and Complying with HIPAA

During the COVID-19 pandemic, there was an urgent need to collect and store a significant amount of information about the health of the population. Employers began monitoring the incidence of COVID-19 among employees, government agencies started collecting data on relocations and isolation, and more and more people began contacting health facilities for COVID-19 testing for antibodies.

Health data belong to the sensitive category of personal data and have a greater degree of protection than other individual data categories. That is why health data need a separate legal regulation that would regulate their collection and use.

Rethinking Patient Data Privacy

Technologies have already become so firmly entrenched in our lives that today we can get a doctor's consultation through social networks. New gadgets, ranging from electronic medical records and special devices to mobile and web-based applications, allow doctors to help patients at a higher level. But these same technologies heighten the risks of spreading sensitive data on the patient's health and compromise the guarantees of your online consultant to keep medical confidentiality. That is an overriding necessity, as people are concerned about storing certain private information and sensible health and medical data safely. Such a fine line between the urgent need to share a rare case of the disease, and the public debate on the details of the condition, can be erased instantly, and the advent of new technologies only exacerbates this. And to satisfy this growing necessity, HIPAA was designed.  

What Is HIPAA And Why Should We Care?

HIPAA was originally created to streamline healthcare processes, reduce costs by standardizing certain general healthcare operations, and protect the safety and privacy of individuals' PHIs. HIPAA determines which patient data is safe and who should comply with HIPAA requirements when working with PHI.

An organization or individual authorized to access a patient's health information is obliged to comply with HIPAA. You can check the HIPAA compliance checklist by following this link

The reputation of the clinic relies on HIPAA, along with social networks. An accidental photo in a clinic can cost you your reputation, career, and even face jail time. HIPAA now regulates this. That is why HIPAA is a dangerous arena of possible violations. The concept of medical secrecy and its nondisclosure is one of the most pressing problems and topics for discussion in the medical community. 

What Is The Main Use Of The HIPAA Act?

HIPAA comprises norms for protecting specific medical data that is preserved or passed in electronic form. The employer's health insurance plans must follow the rules for exchanging and protecting personal medical information to regulate medical confidentiality. The HITECH Act expands the responsibilities of business associates available under HIPAA, increases liability for the lack of implementation, and imposes additional breach notification requirements. Although technically separate, HIPAA and HITECH are usually discussed and referenced together as just a HIPAA. Neither of these acts is less or more important. Business associates have to comply with both acts if they create, use, send, or store protected health information.

HIPAA is based on two basic rules:

  1.  Privacy Policy, which protects private data
  1.  A security rule that requires enhanced security measures

HIPAA regulations protect doctor/patient confidentiality, prohibit the disclosure of medical secrets, and identify and prosecute those responsible in the event of intentional or not a violation of specific rules.

Who Is Subject To HIPAA?

HIPAA does not apply to all persons or institutions. It applies only to covered entities, including Health Plans, Healthcare Clearing Houses (process health information representing other covered entities), and certain Healthcare Providers (hospitals and physicians).

HIPAA also refers to business associates if those contain the use or disclosure of protected health information. These are accountants, consultants, third-party administrators, and health record vendors. The Breach Notification Rule requires business associates to inform their covered entities of a HIPAA to allow the covered entity to report the incident and arrange for individual notices to be sent. 

Though HIPAA is sometimes criticized for being vague and subject to interpretation, it is valuable because it protects the patients' health information. Yet, it was designed to be flexible enough to apply to organizations of all sizes and types. 

Key Moments Of The Health Information Portability And Accountability Act

 By definition, HIPAA ensures appropriate protection of the Patient's Health Information (PHI), which includes:

  1.  Personal patient's health data, both physical and psychological.
  1.  History of his visits to medical institutions.
  1.  Financial information regarding medical services.
  1.  Personal data of the patient: contacts, photos, which can help identify the patient's identity.
  1.  Another type of data distinguished is Electronic Protected Health Information (EPHI), which is all the same data about the patient's health, only in electronic form.

There are several exceptions under which personal data and patient information may be shared with patients' relatives or third parties. Still, the disclosure of medical secrets will entail substantial fines or even criminal liability in most cases. If proven guilty, the perpetrator could receive a prison sentence of one to five years.


HIPAA refers to PHI the following categories of data:

  •  Past and current data on the state of health of the person (the anamnesis of the person, his diagnosis, the results of medical examinations, prescribed treatment);
  •  Data on the provision of medical services to a person;
  •  Past and current data on payment for medical services that can be used to identify a person.

Maintaining Confidentiality

Confidentiality is not only a legal requirement but also essential in a safe, ethical relationship with clients. Confidentiality requirements do not preclude violence counselors from reporting when they see or hear about abuse, as they are also mandated reporters. So, you may ask me what can happen if you fail to complain concerning HIPAA? Compliance violations are a serious thing that can lead to civil and criminal penalties. 

There are two options when client personal information can be disclosed:

Client Request - If the client of the holder of the privilege requests information, it must be provided to them within 30 days.

Suspected Abuse - The welfare agency requires some identifiable information. Provide a minimal amount that still allows you as a provider to fulfill your intended purpose.

HIPAA And Security

As HIPAA had to comply with the constraints of tomorrow, the effect of this directive remains open. Protocols are required to ensure the safety of transmitted information over an electronic communications network.

It means that any devices that send data over the network, especially those outside the company's firewall, must implement an authentication and encryption mechanism. HITECH has expanded HIPAA's privacy and security requirements.

Get stories like this delivered straight to your inbox. [Free eNews Subscription]


FREE eNewsletter

Click here to receive your targeted Healthcare Technology Community eNewsletter.
[Subscribe Now]