The Health Insurance Portability and Accountability Act (HIPAA) is a US healthcare law that establishes requirements for the use, disclosure, and safeguarding of individually identifiable health information. It applies to covered entities—pharmacies, doctors’ offices, hospitals, health insurers, and other healthcare companies—with access to patients’ protected health information (PHI), as well as to business associates, such as software service and IT providers, that may access PHI on their behalf. The law regulates the use and dissemination of PHI in four general areas:
1. Privacy, which covers patient confidentiality.
2. Security, which deals with the protection of information, including physical, technological, and administrative safeguards.
3. Identifiers, which are the types of information that cannot be released if collected for research purposes.
4. Codes for electronic transmission of data in healthcare-related transactions, including eligibility and insurance claims and payments.
The scope of HIPAA was extended with the enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act. Together, HIPAA and HITECH Act rules include:
The HIPAA Privacy Rule, which focuses on the right of individuals to control the use of their personal information, and covers the confidentiality of PHI, limiting its use and disclosure.
The HIPAA Security Rule, which sets the standards for administrative, technical, and physical safeguards to protect electronic PHI from unauthorized access, use, and disclosure. It also includes such organizational requirements as Business Associate Agreements (BAAs).
The HITECH Breach Notification Final Rule, which requires giving notice to individuals and the government when a breach of unsecured PHI occurs.
HIPAA regulations require that covered entities and their business associates—in this case, Abacus when it provides services to covered entities—enter into contracts to ensure that those business associates will adequately protect PHI. These contracts, or BAAs, clarify and limit how the business associate can handle PHI, and set forth each party’s adherence to the security and privacy provisions set forth in HIPAA and the HITECH Act. Once a BAA is in place, Abacus customers—covered entities—can use its services. Currently there is no official certification for HIPAA or HITECH Act compliance. However, those Abacus services covered under the BAA are undergoing audits conducted by accredited independent auditors.