What does HIPAA cover in a healthcare organization?

The biggest category that the Health Insurance Portability and Accountability Act of 1996 (HIPAA) covers is protected health information (PHI). HIPAA also covers medical records and any information shared during consultations.

Protected health information (PHI)

PHI includes names, medical dates, phone numbers, and email addresses. It encompasses full-face photographic images and biometric identifiers like fingerprints, health insurance beneficiary numbers, etc. HIPAA ensures stringent protection for this sensitive data regardless of its form or medium.

Related: What are the 18 PHI identifiers?

Various forms of data and HIPAA protection

Paper records

Even in the digital age, paper records persist within healthcare systems. HIPAA's privacy rule covers these records. Access is restricted to authorized personnel essential for their duties. 

Electronic records

Electronic health records (EHR) streamline patient care but remain subject to HIPAA's protective measures. Similar to paper records, electronic files demand technological safeguards. Implementing usernames, passwords, and user-specific access to patient files fortifies electronic record security. 

Spoken information

The spoken word is also subject to HIPAA's protective purview. Patient-related discussions demand privacy, requiring conversations in secure, private spaces. This applies to healthcare providers and includes patients and guardians in certain scenarios, ensuring confidentiality and adherence to HIPAA standards during every interaction.

Related: Why healthcare organizations should maintain both paper and digital records

HIPAA's security standards

While emphasizing patient privacy, HIPAA's security rule outlines standards for securing patient information. This rule covers electronic PHI (ePHI), dictating stringent security measures for electronic formats while not extending to written or oral PHI.

Administrative safeguards

Designating a security official to establish and enforce safeguards is a primary requirement. A security management process should be implemented to identify, analyze, and mitigate potential data risks. Training and managing employees with access to electronic records, limiting access only to necessity, and regular evaluations form integral parts of these administrative safeguards.

Technical safeguards

Utilizing usernames, audit controls for tracking access, encryption for data transmission, and measures against data alteration or destruction form the core of technical safeguards. These measures ensure restricted access, traceability, and integrity of electronic PHI.

Physical safeguards

Protecting hardware and physical access to electronic records entails automatic logouts, restricted area access, and screen protections to prevent unauthorized access. Safeguarding the physical environment where electronic records are stored is crucial for HIPAA compliance.

Go deeper: What are administrative, physical and technical safeguards?