This is quite interesting and potentially may raise more questions than answers. Let’s consider a couple of scenarios first:
- Business provides healthcare insurance as a self-insured company. This basically means that instead of buying a plan for its employees thru a broker or exchange the business has implemented a risk management plan where they become responsible for the financial risk for providing health care benefits to its employees.
- Business/school has a nurse or similar healthcare professional on site who handles minor on site accidents.
- Business conducts on site-drug testing.
- Business offers on site physicals to its employees.
Based on the above, consider the following questions?
- How many of the above businesses are considered Covered Entities under the Health Insurance Portability Act (HIPAA) and therefore must comply with this law?
- How many of the above businesses have Patient Health Information (PHI) in their possession?
- Will having access to PHI makes a business a Covered Entity?
- In case of a breach, will the actions required be the same for all of them?
Based on HIPAA , the rules apply to Covered Entities and Business Associates. However the name of Covered Entity only applies to health plans, health care clearinghouses, Business Associates and any health care provider who transmits health information in electronic form in connection with transactions for which the Health and Human Services (HHS) Secretary has implemented standards based on HIPAA. Let’s go a little deeper with the definitions and consider the basic categories mentioned above:
- Provider. Health care professional or entity, regardless of size, which electronically transmits health information in connection with certain transactions such as claims, eligibility inquiries and other electronic transactions, is a covered entity.
- Health Plan. Individual and group plans that provide or pay the cost of medical care are covered entities.
- Health Care Clearinghouse. Entities that process information from another entity and changes the same into a format that the receiving entity can process.
- Business Associate. Person or entity that is not an employee of Covered Entity but that the same receives access to PHI from the Covered to perform a function or activity in behalf if such Covered Entity.
Sounds simple but consider the following, when Sony Pictures files were illegally accessed (hacked), the people doing so had access to employees records. Chances are that some of these records contained health information. Could some of this information fall under the PHI category? Was this illegal access a HIPAA Security Breach? I actually have the answers to these questions but this time I decided to make it interesting and open the article for comments. However for those readers that are not interested in the details I have the following recommendations:
- Keep health information separated from regular personnel records;
- Encrypt all electronic information;
- Keep antivirus and firewalls up to date;
- Consider the implementation of a Security Management Plan;
- Consider cyber liability and legal liability products.
Reality of life is that breaches are going to be a fact of life with the proliferation of technology and the reliance of software and hardware of our culture. Also, the number of cyber criminals and activities in 2015 are expected to surpass that of previous years. So the remaining question is; what are you going to do about it?