HIPAA is one of the most commonly misunderstood laws / regulations around today. This is partly because it was written in 1996 by a bunch of folks who don't really understand technology & partly because a quick "HIPAA" Google search leads you down a dark and twisty rabbit hole - trust us, it will make your brain melt. In an effort to cut through the confusion, here's our layperson's guide and all you really need to know:
So, what exactly is HIPAA? It's a federal law that governs how health related, personally identifiable data is managed, stored and preserved.
Before we get too deep in the weeds, here are some fancy acronyms you should know about:
The 4 Key Components of HIPAA:
1. BAA - creates a binding contract between two entities who might come into contact with PHI. For example, there is a BAA in place between a doctor's computer system and their data system to protect the PHI entered for all patients. Note that this contract places the liability onto the service provider's shoulders.
2. Encryption - the process of transforming data into something that the human eyeball can't decipher. Data needs to be encrypted in a couple of ways:
3. Access Control - refers to who can see and manage the data. There are two levels of access control:
4. Disclosure - requires patient consent in order to share HIPAA data with anyone else.
Some Common Misunderstandings:
So why do we know all of this and why do we care???
Here at Standard Co, we help some of the largest healthcare organizations in the world with their data management (think WHO, the CDC, Ministries of Health in Sub-Saharan Africa, South America, and South Asia). Because we commonly work with sensitive PHI, we've applied HIPAA-like controls to our own software by default, including audit controls, access controls, PHI/PII masks, and training protocols for our team and clients.
Further, the data we gather belongs to our clients - we do not own it, we do not repackage it, and we do not do any unauthorized analysis against it. In short, we take the best care of our clients' data as we can, because we know it matters. If you have data that needs protection, look no further. Reach out, we're here for you.