The Health Insurance Portability and Accountability Act (HIPAA) was established by Congress in 1996. The legislation was passed to improve the efficiency of the United States healthcare system. It does so by standardizing best practices for maintaining the security and privacy of healthcare data. HIPAA required the United States Department of Health and Human Services (HHS) to create new regulations addressing this data. Thus far, the HHS has released two documents, the Privacy Rule and the Security Rule.
The Privacy and Security Rules define requirements for handling all electronic personal health information (e-PHI). Personal health information (PHI) represents any health data that includes identifying information (e.g., name, address, health conditions). Further, under HIPAA, healthcare organizations can no longer request Social Security numbers (SSN) as part of their data collection.
In 2009, the U.S. Congress also passed the Health Information Technology for Economic and Clinical Health (HITECH) Act. This legislation creates definitions for the meaningful use of electronic health records (EHR) that contain PHI. The HITECH Act requires healthcare organizations to report suspected breaches. Increasing awareness around healthcare-related data breaches also prompted Congress to pass the HIPAA Omnibus Rule in 2013. This rule defines required security controls. These controls aim to strengthen the original protections within the HIPAA Privacy and Security Rules.
Covered Entities. HIPAA defines rules for all healthcare organizations (also known as covered entities) that store or transmit PHI data. Covered entities can include health plans, healthcare providers, or individuals assisting with healthcare. HIPAA also acknowledges that covered entities occasionally need to disclose PHI to business associates that support health services.
With the passing of the HITECH Act and HIPAA Omnibus Rule, business associates must adhere to HIPAA requirements in the same fashion as a covered entity. As such, covered entities must get written assurances from business associates that appropriate controls are in place.