HIPAA HIPAA Hooray

HIPAA is one of the most commonly misunderstood laws / regulations around today. This is partly because it was written in 1996 by a bunch of folks who don't really understand technology & partly because a quick "HIPAA" Google search leads you down a dark and twisty rabbit hole - trust us, it will make your brain melt. In an effort to cut through the confusion, here's our layperson's guide and all you really need to know:

So, what exactly is HIPAA?  It's a federal law that governs how health related, personally identifiable data is managed, stored and preserved. 

Before we get too deep in the weeds, here are some fancy acronyms you should know about:

• HIPAA - The Health Insurance Portability and Accountability Act (succinct, huh?)
  
• PHI - Private Health Information (interchangeable with PII, below, PHI refers to personally identifiable information such as name, DOB, phone number, social security number, etc.) 
• PII - Personally Identifiable Information (interchangeable with PHI, above, note that this does not include "descriptors", such as sex, height, weight, etc.)
• BAA - Business Associate's Agreement (one of the more fundamental components of HIPAA, keep reading)

‍

The 4 Key Components of HIPAA:

1.  BAA - creates a binding contract between two entities who might come into contact with PHI.  For example, there is a BAA in place between a doctor's computer system and their data system to protect the PHI entered for all patients.  Note that this contract places the liability onto the service provider's shoulders. 

2.  Encryption - the process of transforming data into something that the human eyeball can't decipher.  Data needs to be encrypted in a couple of ways:

• Encryption in transit (protects data as it travels between your app/phone/tablet/computer and the server)
• Encryption on the hard drive (protects data once it is in the database) 

3.  Access Control - refers to who can see and manage the data.  There are two levels of access control:

• Software access (who has access to view patient data & what information is masked/unmasked?)
  
• Hardware access (who has access to the underlying data systems?  have they been trained to safely preserve and backup the data?  is there a disaster recovery program in place?)

4.  Disclosure - requires patient consent in order to share HIPAA data with anyone else.  

Some Common Misunderstandings:

• Asking for vaccination status is not a HIPAA violation.  Sorry (not sorry), Marjorie Taylor Greene...it is absolutely allowed under HIPAA to ask for anyone's PHI.  The violation only exists if you share someone's PHI without consent.  
• Secondly, an individual can't sue for a HIPAA violation.  There is no civil protection under HIPAA providing an individual authority to take legal action against a violation.  If a healthcare provider leaks PHI without consent, the only entity that can take legal action is the Health and Human Services Administration.

‍

So why do we know all of this and why do we care??? 

Here at Standard Co, we help some of the largest healthcare organizations in the world with their data management (think WHO, the CDC, Ministries of Health in Sub-Saharan Africa, South America, and South Asia).  Because we commonly work with sensitive PHI, we've applied HIPAA-like controls to our own software by default, including audit controls, access controls, PHI/PII masks, and training protocols for our team and clients.  

Further, the data we gather belongs to our clients - we do not own it, we do not repackage it, and we do not do any unauthorized analysis against it.  In short, we take the best care of our clients' data as we can, because we know it matters.  If you have data that needs protection, look no further.  Reach out, we're here for you.

‍