HIPAA and HITRUST are two frameworks that are commonly compared because they are used in the healthcare industry.
What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) sets out various rules and restrictions regarding the use and disclosure of individuals’ protected health information (PHI).
Who needs to adhere to HIPAA?
Those who need to adhere to HIPAA regulations are: Health insurance companies, healthcare clearinghouses, business associates, employers (employers that sponsor group health plans for their employees must comply with HIPAA regarding any employee health information they maintain HIPAA), mobile health/telehealth apps and companies and medical device and health technology companies. Ultimately, any individual or organization that handles protected health information for treatment, payment or healthcare operations purposes is considered a covered entity under HIPAA and must comply with HIPAA rules and regulations. This includes maintaining appropriate safeguards to protect patient privacy and data security. HIPAA applies to individuals and organizations within the United States and to companies that handle data of American citizens.
What is a HIPAA breach?
A HIPAA breach refers to the unauthorized access, use or disclosure of protected health information (PHI). PHI is any information that relates to an individual’s physical or mental health condition, health care provision or payment for health care that identifies the individual or could be used to identify the individual. This includes names, addresses, birth dates, social security number/ ID numbers and any type of healthcare identifiers.
Breaches can happen in a variety of ways, including:
- Hacking or malware attacks: Hackers can gain unauthorized access to electronic protected health information (ePHI) stored on computers, servers or mobile devices.
- Loss or theft of devices or paperwork: Losing or misplacing devices, charts, records or paperwork containing protected health information can cause a breach.
- Unauthorized access: When employees access protected health information without a legitimate “need to know” for treatment, payment or operations purposes. This includes unauthorized viewing of patient records.
- Improper disposal of PHI: Throwing out devices, paperwork or records containing protected health information in unsecured trash bins can cause a breach.
Nowadays, healthcare organizations rely heavily on electronic methods to save and share patient records. HIPAA has created rules and checks to make sure that digital media – like transmitting over networks, storing in databases and using mobile devices (such as tablets and laptops) – are kept secure. If medical information is somehow accessed, stolen or tampered with in any of these places, it is called a HIPAA breach. If this happens, there are specific actions that need to be taken and reported.
This unauthorized access (the breach) to an individual’s private information is conducted in a manner that is not permitted by the Health Insurance Portability and Accountability Act (HIPAA) regulations. When a breach occurs, it compromises the privacy and security of patients’ sensitive health information.
HIPAA Breach Notification Rule
Organizations that handle PHI are required to comply with the HIPAA breach notification rule (when a breach occurs). The HIPAA Breach notification rule establishes the requirements that need to be covered when there has been unauthorized access to PHI. The rule is set up to ensure that affected individuals, the Department of Health and Human Services (HHS) and sometimes even the media are notified. This is to assess the severity and potential risks associated with a HIPAA breach. Organizations often employ a HIPAA breach assessment tool. This tool aids in evaluating the nature and extent of the breach. This will help determine the extent of harm to individuals’ private data and the measures to mitigate the breach’s impact. Conducting a detailed risk assessment is vital for organizations to comply with HIPAA regulations.