HIPAA Cloud Compliance

What is the Health Insurance Portability and Accountability Act of 1996 (HIPAA)?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is the primary United States legislation that regulates the data private and security of protected health information, also known as PHI. The act, Public Law 104-191, contained provisions requiring the Department of Health and Human Services (HHS)  to “adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security,” HHS has published multiple rules to satisfy this requirement, resulting into a combined regulatory text published in March 2013. All encompassed, HIPAA requires all health care providers and organizations and their business associates to enact comprehensive data privacy and security specifications on PHI.

The regulation consists of two fundamental rules: the Security Rule and the Privacy Rule. The details and obligations of these rules are defined below.

Other relevant provisions include the guarantee of health insurance coverage for individuals who lose or change their jobs. HIPAA also establishes procedures for breach notification in the HIPAA Breach Notification Rule. Covered entities and business associates are required to notify patients following data breaches. The scope of organizations required to notify of breaches of PHI was expanded by the Federal Trade Commission (FTC) in 2010 to include vendors of electronic health records (EHRs) and EHR-related systems.

Through its provisions, HIPAA requires strict privacy and security safeguards on PHI and ePHI and non-compliance can result in significant penalties. The financial penalties are based on the level of negligence and the nature of the non-compliance. Ultimately, the secretary of HHS has full discretion in determining the penalty.

A public list of breaches is also maintained by HHS, placing a spotlight on organizations who have experienced data loss in their organization.

Who does it apply to?

• Healthcare providers and organizations
• Business associates (BA) and subcontractors of BAs of health care entities (as defined by the Health Information Technology for Economic and Clinical Health (HITECH))

What data are protected?

• Protected health information is “individually identifiable health information” as defined by:
  • Any information, including demographic information, collected from an individual that is created or received by a health care entity or BA
  • Any information that can be reasonable used to identify an individual that relates to the past, present, or future physical or mental health or condition of that individual
  • Any information that relates to the provision of healthcare to that individual
  • Any information pertaining to the past, present, or future payment for the provision of healthcare to that individual