Over the course of the pandemic, vast numbers of patients have turned to telehealth and prescription delivery for their basic healthcare needs. All of those providers and services should be HIPAA-compliant. But what does it mean to be HIPAA-compliant?
If it's your first time managing your healthcare through technology, you might need some definitions to get your started. Let’s take a look at the law and how it keeps patient information safe.
HIPAA, Defined
First, HIPAA stands for the “Healthcare Insurance Portability and Accountability Act.” This act was signed into law August 21, 1996 and was meant to do the following:
- Improve the handling of health insurance coverage for employees between jobs
- Combat waste, fraud, and abuse in health insurance and healthcare delivery
- Promote the use of medical savings accounts
- Provide coverage for employees with preexisting conditions
- Simplify the administration of health insurance
After HIPAA was signed into law, the Department of Health and Human Services developed the Privacy Rule and Security Rule. These "rules" – which are federal laws – define which pieces of health information are private, who can look at and receive that information, and how the information should be secured.
Before we move on, let’s break down a few more terms.
Covered entities: These organizations need to abide by HIPAA. This includes:
- Health insurance companies
- Healthcare providers (including pharmacists)
- Healthcare clearinghouses that process health data
- And business associates of covered entities, like e-prescribing services, healthcare delivery companies, and electronic prior authorization software services
While individuals who work for covered entities or their business associates are not technically "covered entities," individuals can be charged with HIPAA violations.
PHI: This stands for “Protected Health Information.” PHI is individually-identifiable health information that covered entities create, maintain, receive, or transmit between themselves and other entities. Any PHI data must be carefully handled to avoid disclosure.
Breach: The Department of Health and Human Services defines a breach as “an impermissible use or disclosure...that compromises the security or privacy of the protected health information.” Essentially, if unencrypted protected health information is lost, stolen, or accidentally revealed, it’s a breach.
What Counts as PHI
“Protected health information” is a vague phrase. The simplest definition is this:
Health Information + Individual Identifier = PHI
“Health information” could be test results, prescription information, diagnoses, medical histories, insurance details, or any other information used to identify a patient or provide healthcare services or healthcare coverage.
You can find a list of the eighteen “individual identifiers” here. The list includes items like your name, phone number, Social Security number, fingerprint, and even your zip code.
Thus, something as simple as a specific diagnosis + a zip code = PHI. It might be challenging for someone to track down an individual from that information, but it is possible.
PHI violations hurt patients. With PHI, criminals can commit medical identity theft, credit card fraud, blackmail, or worse. For that reason, covered entities need to carefully handle any and all PHI whether they are storing, sharing, and destroying it. For example:
- PHI cannot be transmitted through regular email; it must be encrypted.
- PHI on printed material cannot be disposed of in regular trash or recycling; it must be placed in a secure shredder.
ScriptDrop Values Your Privacy
ScriptDrop is 100 percent invested in patient privacy. Our Security & Compliance team is dedicated to keeping your information safe and secure even beyond what HIPAA requires. The members of our security team are experts in healthcare IT and have a flawless track record.
Your PHI data is in good hands with ScriptDrop. Remember that it’s always acceptable to ask healthcare providers, insurers, and other entities how they comply with HIPAA regulations.
To learn more about your rights as a patient under HIPAA, read more on the Health & Human Services website.