HIPAA

- [Instructor] Hippos, often confused with HIPAA, are large semi-aquatic mammals native to the Sub-Saharan Africa. HIPAA, the law, has two As, and Hippo, the animal has two Ps, which I often see mixed up. Let's learn about the federal law HIPAA in this video. HIPAA stands for the Health Insurance Portability and Accountability Act, which was passed in 1996 as a federal law. That's right, HIPAA is a federal law. The HIPAA law requires that there is a creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge. The US Department of Health and Human Services, or HHS, issued the HIPAA Privacy Rule to implement the requirements of HIPAA and the HIPAA Security Rule, which protects a subset of information covered by the privacy rule. Let's talk about both the privacy and security rules in HIPAA. The privacy rule applies to individuals or organizations that are considered covered entities and specifies standards that governs the use and disclosure of individuals' health information, also known as protected health information, or PHI. HIPAA defines covered entities as health plans, healthcare clearinghouses, and healthcare providers who electronically transmit any health information. You may be thinking, oh, so HIPAA only applies to a few companies in the healthcare space, not so fast. HIPAA also applies to business associates. Business associates are any person or organization using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity. A few examples of covered entities and business associates are listed here. As you can see, there are a wide range of companies and entities that are considered either covered entities or business associates. Now, let's talk about the security rule. The privacy rule is focused on protecting PHI. The security rule protects a subset of information covered by the privacy rule. This subset of information is all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form. This data is also called electronic protected health information, or ePHI. The security rule does not apply to PHI transmitted orally or in writing. The security rule requires four general rules for covered entities and their business associates to meet. You must ensure the confidentiality, integrity, and availability of all ePHI. You must detect and safeguard against anticipated threats to the security of the information. You must protect against anticipated impermissible uses or disclosures that are not allowed by the rule, and you must certify compliance by your workforce. You're obviously taking this course because you're interested in governance, risk, and compliance, so you may be wondering what about the compliance certification for HIPAA? Here's a secret that not a lot of people know. The HHS does not provide or recognize a HIPAA certification. Interesting, right? They do, however, look at whether or not an organization has made a good faith effort towards HIPAA compliance. If there is a HIPAA violation or complaint filed, the HHS Office of Civil Rights is responsible for enforcing the privacy and security rules. The enforcement process from the Office of Civil Rights, or OCR, is a structured approach to determine if there was a violation and imposing appropriate penalties if they determine a violation has occurred. If you are found to be non-compliant with either the privacy or security rule, you could find your company name on something that no company wants to find their name on: the HIPAA Wall of Shame, which is a public online portal that lists all breaches reported within the last 24 months that are currently under investigation by the OCR. As you can see, HIPAA is a big deal, and if you work in an organization that is considered a covered entity or business associate, this is a law you should be familiar with. While there is no recognized compliance certification, you will want to make sure you've done your part to implement the basic safeguards outlined in the privacy and security rule, just in case the OCR comes knocking on your door. It's not enough to implement these safeguards, but also being able to prove it to a third party, like the OCR, is key and a critical responsibility of any GRC professional.