The Healthcare Insurance Portability and Accountability Act (HIPAA) of 1996 is widely known as one of our country’s most important privacy protection laws. It had profound implications for healthcare providers, insurers and other organizations that come into contact with protected health information. Regulators take HIPAA very seriously, and fines be costly if government agencies determine that patient privacy has not been adequately protected. In addition to those financial penalties, organizations may suffer reputational damage as a result of HIPAA violations.
HIPAA’s privacy protections are covered under the “HIPAA Privacy Rule”. So which information does HIPAA protect, exactly? Let’s begin with a few important definitions:
“Protected health information” (PHI) is individually identifiable health information that is maintained or transmitted by a covered entity; and which was created, used, or disclosed in the course of medical diagnosis or treatment. The law carves out a few exceptions, including educational records maintained under FERPA, as well as certain employment records maintained by health care providers and other covered entities.
“Covered entity” refers to specific organizations that are subject to the HIPAA Privacy Rule, including healthcare providers, insurers and HMOs, and healthcare clearinghouses.
“Electronic protected health information” (ePHI) simply refers to any PHI maintained or transmitted in electronic form.
Information may be considered “personally identifiable” under the HIPAA Privacy Rule if it contains any of the following data points pertaining to a patient:
Obviously, it is sometimes necessary for certain organizations to share PHI with one another. Healthcare providers, for example, must communicate which services have been provided to a patient, including the diagnosis and treatment. While that scenario sounds obvious, there are a number of less obvious situations that also call special attention in order to ensure HIPAA compliance. For example, companies that host e-mail servers, third-party billing companies, or providers of HIPAA compliant fax services handle PHI on a routine basis, even though they may not necessarily be the ultimate recipients of it.
These organizations must all understand the critical importance of patient privacy and have measures in place to safeguard it. Legally, it’s your responsibility to make sure that these business associates understand the obligation to safeguard PHI, and agree to take the appropriate measures themselves to protect the PHI that has been entrusted to you.
Whenever a covered entity shares PHI with another party, the are ultimately responsible for making sure that it remains secure according to HIPAA guidelines. The best way of handling this is by getting a signed business associate agreement (BAA) from vendors or other business partners who may be sending, receiving, or acting as an intermediary for PHI or ePHI. As part of our HIPAA compliant Healthcare Fax, WestFax provides an industry standard Business Associate Agreement. Our BAA agreement satisfies the Health and Human Services (HHS) standards for Health Information Privacy (HIP). Alternatively, we can work with your legal advisors to tailor a custom BAA to meet your needs.
There are a few other scenarios in which PHI may be shared, including for marketing or research; but a written HIPAA Authorization must be obtained from the patient, or all personally identifiable information must be removed before the information is shared.
At WestFax, we provide best-in-class HIPAA compliant fax services hosted in in SOC 2 compliant data centers with 24×7 guards, advanced video surveillance, biometric ID access, and server cages. We use the latest technical security controls to prevent unauthorized access to archived faxes, and to in-transit data when faxes are being sent and received.
If your organization is looking to update your technology and work with a fax provider who understands HIPAA, contact us today, or call us at 800-473-6208 to discuss your needs. We’ll work with you to make sure your compliance requirements are fully satisfied.