What is HIPAA?
HIPAA -> Health Insurance Portability and Accountability Act of 1996 is a public law to improve healthcare systems' efficiency and effectiveness. As there was a perceived risk that advances in electronic technology could erode health information privacy, the adoption of Federal privacy protections for identifiable health information was incorporated into the law.
Who needs to comply with HIPAA?
Health Plans, Health Care Clearinghouse, and Health Care providers. Anyone providing treatment, payment, or operations in healthcare and business associates. So basically, anyone who processes protected health information (PHI).
What does HIPAA say about data classification?
Nothing, there is no requirement to perform data classification on your documents. But there are other requirements where having achieved a data classification on your papers will be very helpful. Below are a few of them.
- 164.306 Security standards: General rules. (1) Ensure the confidentiality, integrity, and availability of all electronically protected health information the covered entity or business associate creates, receives, maintains, or transmits. To ensure confidentiality, you need to know which documents are confidential. Otherwise, you need to protect all records as if they were secret.
Implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronically protected health information.
164.504 Uses and disclosures: Organizational requirements
- For two parties to share or give PHI access, the covered entity must sign a Business Associate Agreement (BAA) with the business associate. If the associate has subcontractors who get access to PHI documents, they would have to sign a BAA too by the BAA waterfall. Suppose you don't have control over which records are confidential and contain PHI. In that case, you risk giving access to the subcontractor and thereby being in violation by not having the BAA in place.
- You must report to the covered entity any use or disclosure of the information not provided for by the BAA. Without knowing which documents contain health data and their confidentiality level, how can you monitor misuse or disclosure of the information?
- At the BAA termination, the associated partner needs to return or destroy all protected health information received from a covered entity or an associated partner on behalf of the covered entity.
- 164.524 Access of individuals to protected health information. An individual has a right to inspect and obtain a copy of protected health information about the individual.
Subpart D—Notification in the Case of Breach of Unsecured Protected Health Information
Reporting breaches is mandatory. If a stolen laptop contained unsecured PIH, you need to report it. Knowing whether that laptop had confidential documents with PIH can save you a lot of trouble.
Summary: HIPAA is an incredibly complex law with many pitfalls. If you are processing protected health information, make sure you know where it is, its quantity, and who has access to it.
