HIPAA: The most famous US data protection law

In our last blog we alerted you the the existence of data protection laws, which regulate businesses that collect data about individuals. One of the older data laws at the federal level in the United States is known as HIPAA (The Health Insurance Portability and Accountability Act of 1996). Any medical office or organization that handles medical records is subject to HIPAA, the federal law regarding health data privacy.

If you are covered by HIPAA, your big concern is the law’s strict rules covering the privacy of a patient’s health records. Among other things, it creates a right for patients to have the privacy of their healthcare data maintained and secured, creates security regulations regarding this data, and requires notification of appropriate agencies and affected individuals in the case of a breach of the data. Most importantly, the law creates a very imposing set of regulations that, if not tightly adhered to, can result in severe liabilities and penalties.

Who is regulated by HIPAA? Very broadly, any entity that handles Protected Health information (PHI) in any form, electronic or otherwise. The two general groups covered by this law are known as Covered Entities and Business Associates.

Covered entities are those who, in their normal activities, create, maintain, directly access and/or transmit PHI. Examples of these entities are healthcare providers, clearinghouses, insurance plans, and employers who self-insure.

A Business Associate is any entity that comes in contact with PHI. A Business Associate is subject to the same fines and penalties for non-compliance as Covered Entities. Examples of business associates may include attorneys, accountants, IT contractors, managed service providers, billing firms, data storage centers, and even email servers.

While HIPAA is an exceptionally complex law, the takeaway here is that anyone covered by the law has a serious obligation both to protect data and to report any breaches.