What is HIPAA?
HIPAA -> Health Insurance Portability and Accountability Act of 1996 is a public law to improve healthcare systems' efficiency and effectiveness. As there was a perceived risk that advances in electronic technology could erode health information privacy, the adoption of Federal privacy protections for identifiable health information was incorporated into the law.
Who needs to comply with HIPAA?
Health Plans, Health Care Clearinghouse, and Health Care providers. Anyone providing treatment, payment, or operations in healthcare and business associates. So basically, anyone who processes protected health information (PHI).
What does HIPAA say about data classification?
Nothing, there is no requirement to perform data classification on your documents. But there are other requirements where having achieved a data classification on your papers will be very helpful. Below are a few of them.
Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronically protected health information.
164.504 Uses and disclosures: Organizational requirements
Subpart D—Notification in the Case of Breach of Unsecured Protected Health Information
Reporting breaches is mandatory. If a stolen laptop contained unsecured PIH, you need to report it. Knowing whether that laptop had confidential documents with PIH can save you a lot of trouble.
Summary: HIPAA is an incredibly complex law with many pitfalls. If you are processing protected health information, make sure you know where it is, its quantity, and who has access to it.