What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law protecting health-related personal information that has been enforced since 1996.

In plain language, it protects the medical files that hospitals and other health organizations handle and defines what protected health information is and what entities are required to comply with the law.

Entities covered under HIPAA include:

  • Health providers, such as clinics, doctors, dentists, nursing homes, psychologists, or pharmacies;
  • Health plan providers, such as health insurance providers;
  • Health clearing houses.

It is important to note that the law covers only the electronic transaction of health data.

The HIPAA features a few important rules that covered healthcare entities should be aware of. These include:

  • Privacy rule. This part of HIPAA protects the privacy of individually identifiable health information, known as Protected Health Information (PHI). It sets limits on the use and disclosure of such information and establishes a series of patient rights regarding their health information.

  • Security rule. This rule complements the Privacy Rule. It sets standards for securing patient health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards organizations must implement to secure individuals’ electronic PHI (ePHI).

  • Transactions and code sets rule. This rule standardizes the codes used to describe diseases, injuries, and other health conditions, as well as patient treatment and billing information. It aims to make healthcare administration more efficient and cost-effective.

  • Unique identifiers rule. Under HIPAA, each healthcare entity, such as individuals, employers, health plans, and healthcare providers, must have a unique 10-digit national provider identifier (NPI).

  • Enforcement rule. This rule contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations, and procedures for hearings.

MergeBase and HIPAA

MergeBase does not store or process medical information; therefore, HIPAA does not apply to us.

How MergeBase Helps You Comply with HIPAA?

HIPAA contains strict data security requirements that we can help with.

The HIPAA Security Rule focuses specifically on electronic PHI (ePHI) and requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for protecting ePHI. Key elements include:

  • Confidentiality, integrity, and availability. Covered entities must ensure that all ePHI they create, receive, maintain, or transmit is kept confidential and available.

  • Risk analysis and management. Entities must perform a risk analysis and implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

  • Administrative Safeguards. These include policies and procedures designed to clearly show how the entity will comply with the act, covering areas like training, contingency planning, and the assignment of a security officer.

  • Physical Safeguards. These involve controlling physical access to protect against inappropriate access to protected data.

  • Technical Safeguards. This includes controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient.

MergeBase excels at reducing your cyberattack surface, helping you keep your data safe and confidential, and ensuring that your technical safeguards are intact.