HIPAA: Terms to Remember

When it comes to HIPAA and protecting your employees’ private information, there are a lot of things you have to remember to make sure you are not violating any of the guidelines. Here is a short refresher course on HIPPA and the most important terms.

HIPAA: The Health Insurance Portability and Accountability Act is a law passed in 1996. Its ultimate goal is to streamline and standardize healthcare information and to protect that information from public exposure. HIPAA consists of 5 Titles or sections:

  1. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs.
  2. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.
  3. Title III sets guidelines for pre-tax medical spending accounts.
  4. Title IV sets guidelines for group health plans.
  5. Title V governs company-owned life insurance policies.

Personal health information (PHI) is any information about the health status, treatment, or payment information that is created or collected by a Covered Entity (or a Business Associate of a Covered Entity), that can be tied directly to a specific individual. Examples include, Names, Social Security Numbers, Medical Record Numbers, phone numbers, biometric data, full face photos, and even IP addresses.

Covered Entities are any healthcare provider, health plan or clearinghouse that electronically transmits protected health data for any PHI for any transactional purpose. An organization is not a covered entity if they do not transmit this data electronically. Alternatively, many vendors of these healthcare organizations are also required to comply with the covered entity HIPAA rules. These HIPAA business associates include any company or organization that works with a covered entity and has access to PHI. All business associates must enter into a contract called a Business Associate Agreement (BAA) that outlines the duties to be performed and the allowable uses of the PHI.

HIPAA Privacy Rule focuses on the right of an individual to control their PHI. This rule covers the confidentiality of PHI in all formats: electronic, paper, and oral. This confidentiality agreement between the covered entity and the patient assures the patient that their information will be kept private. The Privacy Rule is primarily to control who is authorized to access patient information and under what conditions that data can be used or disclosed.

HIPPA Security Rule was created specifically to address the protection of electronic PHI (ePHI). Typically ePHI is stored on computer hard-drives, mobile devices, and private networks. The Security Rule specifically applies to the technical, administrative, and physical safeguards put in place to protect the digitized PHI from unauthorized access. Security firewalls, passwords on computers, limited access to data sources are all examples of HIPAA Security.

If your company is looking for more financial and employee benefits resources, call 800.583.6908 or visit or speak to a benefit consultant to see what we can do to help make you healthier and prosperous.