Health information is regarded as highly private data by many individuals. The unauthorized disclosure of health data can, and has, caused individuals to suffer personal embarrassment, identity theft and worry. In an effort to keep health information private, especially as health records have become digitized, the US government has enacted two laws over the past 25 years: HIPAA and HITECH.

HIPAA-cloudOn 21 August 1996, HIPAA was signed into law with the intent to:

. . . improve the portability and accountability of health insurance coverage for employees between jobs. . .  combat waste, fraud and abuse in health insurance and healthcare delivery. . . promote the use of medical savings accounts by introducing tax breaks, [provide] coverage for employees with pre-existing medical conditions and [simplify] the administration of health insurance1.

Over the next 13 years, technology advanced by leaps and bounds. In response to these changes, HITECH was enacted on 17 February 2009. HITECH aimed to:

...promote the adoption and meaningful use of health information technology [and address] the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions [to] strengthen the civil and criminal enforcement of the HIPAA rules2.  

Because HITECH updated HIPAA, any discussion of HIPAA is not complete without considering HITECH. Additionally, we want to ensure we provide a complete and accurate picture of these two legislations. As a result, this series on HIPAA & HITECH is divided into four parts:

  1. HIPAA Foundations
  2. HITECH | Foundations
  3. HIPAA & HITECH | Today’s Health Data Privacy Laws in the USA
  4. HIPAA & HITECH | Third-party Risk Management

In this part one of our HIPAA foundations blog, we first define some important terms to know when reviewing the regulations. In the second installment, we will summarize the legislation according to each part, providing an overview of HIPAA’s information security & privacy requirements with the goal of enabling you to meaningfully contribute to healthcare privacy-related discussions at your organization. 

Important Definitions in HIPAA

This section contains the important definitions found in HIPAA (in alphabetical order):

Business associate

  • A person who:
    • Benefit management
    • Billing
    • Claims processing or administration
    • Data analysis
    • Patient safety activities
    • Practice management
    • Processing or administration
    • Quality assurance
    • Repricing
    • Utilization review
    • Accounting
    • Accreditation
    • Actuarial
    • Administration
    • Consulting
    • Data aggregation
    • Financial 
    • Legal
    • Management
    • On behalf of (but not as an employee of) a covered entity or an organized health care arrangement (i) creates, (ii) receives, (iii) maintains, or (iv) transmits PHI, including:
    • Provides (but not as an employee) of a covered entity any of the following services to a covered entity where the service involves the disclosure of PHI:
  • Business associate includes:
    • A health information organization
    • E-prescribing gateway
    • Other person
    • Creates
    • Receives
    • Maintains
    • Transmits
    • Any of the following that provides data transmission services involving PHI to a covered entity on a routine basis:
    • A person that offers a personal health record to at least one other individual on behalf of a covered entity
    • A subcontract that does the following with personal health information on behalf of the business associate:
  • Business associate does not include:
    • Regarding disclosures by a covered entity to a health care provider regarding an individual’s treatment
    • Regarding disclosures to the plan sponsor by the: 
      • Group health plan
      • Health insurance issuer
      • HMO
    • With respect to determining eligibility for (or enrollment in) a government health plan or collecting health information related such purposes
    • If it participates in an organized health care arrangement that provides a function or service as described above
    • A health care provider
    • A plan sponsor
    • A government agency
    • A covered entity 

healthcare-securityCovered entity

  • A health plan
  • A health clearinghouse
  • A health care provider
    • Which transmits any health information electronically in connection with a transaction
  • A covered entity may be a business associate of another covered entity

Electronic media

  • Any of the following electronic storage materials on which data is or may be recorded:
    • Digital memory card
    • Transmission media include:
      • The Internet
      • Extranet/intranet
      • Leased lines
      • Dial-up lines
      • Private networks
      • Physical movement of electronic storage media
    • Transmission media does not include (so long as the info being exchanged did not exist electronically immediately before the transmission):
      • Paper
      • Voice
    • Devices in computers (e.g., hard drive)
    • Removable digital devices (e.g., magnetic tape)
    • Optical disk
    • Transmission media used to exchange info already stored. 

Family member

  • A dependent of the individual
  • Any person who is at most a fourth-degree relative of either the individual or dependent. 
    • First-degree relatives
      • Parents, spouses, siblings, and children
    • Second-degree relatives
      • Grandparents, grandchildren, aunts, uncles, nephews, and nieces
    • Third-degree relatives
      • First cousins, great-grandparents, great-grandchildren, great aunts, and great uncles
    • Fourth-degree relatives
      • Children of first cousins, great-great grandparents, great-great grandchildren
    • Relatives by affinity (e.g., marriage or adoption) are treated the same as biological relatives
    • Relatives who are not full-blood related (e.g., half-siblings) are treated the same as full-blood relatives
    • Clarifications:

Genetic information

  • Information about an individual that involves:
    • Genetic services
    • Participation in clinical services which include genetic services
    • An individual’s genetic tests
    • The genetic tests of an individual’s family members
    • The manifestation of a disease or disorder within the individual’s family
    • Any request of or receipt for the following services the individual or a member of the individual’s family was involved in:
  • Any reference in this subchapter to genetic information of an individual/the individual’s family includes the genetic information of:
    • A fetus carried by the individual or a family member
    • An embryo legally held by the individual a family member in relation to fertility treatments
  • Genetic information does not include sex or age

Health information

  • Any information, whether oral or recorded in any way, that:
    • Health care provider
    • Health plan
    • Public health authority
    • Employer
    • Life insurer
    • School or university
    • Health care clearinghouse
    • Past, present, or future:
      • Physical health/condition
      • Mental health/condition
      • Payment for received health care services
    • Received health care services
    • Is created or received by a:
    • Relates to an individual’s:

Individually identifiable health information

    • Information that is a subset of health information, including demographic information collected from an individual, and:
      • Health care provider
      • Health plan
      • Employer
      • Health care clearinghouse
      • Is created or received by a:
  • AND
    • Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and:
      • or
      • That identifies the individual
      • With respect to which there is a reasonable basis to believe the information can be used to identify the individual 

PHI (Protected health information)

  • Individually identifiable health information:
    • That is (unless stated otherwise):
      • Transmitted by electronic media
      • Maintained in electronic media
      • Transmitted or maintained in any other form or medium
    • PHI excludes individual identifiable health information in these scenarios:
      • In education records covered by FERPA (the Family Educational Rights and Privacy Act)
      • Per 20 U.S.C. 1232g(a)(4)(B)(iv):
        • Records on a student who is 18 years of age or older, or is attending an institution of postsecondary education, which are made or maintained by a physician, psychiatrist, psychologist, or other recognized professional or a paraprofessional acting in his professional or paraprofessional capacity, or assisting in that capacity, and which are made, maintained, or used only in connection with the provision of treatment to the student, and are not available to anyone other than persons providing such treatment, except that such records can be personally reviewed by a physician or other appropriate professional of the student’s choice
      • In employment records held by a covered entity in its role as employer
      • Regarding a person who has been deceased for more than 50 years

Come back for part two of this blog series on the foundations of HIPAA and learn what your organization can do to stay compliant with all of the key components of this regulation.