x

Glossary

Our Criblpedia glossary pages provide explanations to technical and industry-specific terms, offering valuable high-level introduction to these concepts.

HIPAA

Enterprise information security and legal teams in enterprise software have always benefited from a robust partnership. As more services and data continue to migrate to the cloud it creates an evolving and increasingly complex regulatory landscape.

This requires a compliance framework, a structured approach that outlines the policies, procedures, and controls companies use to ensure they are operating within legal and ethical boundaries as required by law or industry standards. It’s designed as a roadmap for them to comply with laws, regulations, and industry standards. It helps them manage and identify potential risks, and implement measures to mitigate them. These frameworks include: ISO 27001, PCI DSS, NIST, GDPR and more.

What is HIPAA?

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other individually identifiable health information (collectively defined as “protected health information”). It applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization.

HIPAA also gives individuals rights over their protected health information. These right include rights to examine and obtain a copy of their health records, to direct a covered entity to transmit to a third party an electronic copy of their protected health information in an electronic health record, and to request corrections. (From HHS.gov)

What does HIPAA define?

At a very high level, the privacy rule defines the following:

  • Patient level of control over their own health information.
  • Sets boundaries for the release and use of health records.
  • Establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
    • Outlines the controls healthcare providers must use to secure their technology.
  • It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.

HIPAA rules allow freedom in how the above controls are applied. A secure network must include Authentication and Access Control policies, secure firewalls and VPNs, encryption of transmitted data and audit controls.

HIPAA Protection Requirements

HIPAA rules protect all “individually identifiable health information” held or transmitted by a covered entity or its business associate. That includes any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “Protected Health Information (PHI).

“Individually identifiable health information” is information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition
  • the provision of health care to the individual
  • the past, present, or future payment for the provision of health care to the individual

This refers to information that either directly identifies a person or has a reasonable likelihood of identifying them, using Personally Identifiable Information (PII).

HIPAA Security Standards

The HIPAA Security Standards encompass a set of regulations to facilitate Administrative Simplification. These regulations, comprised of five key rules, aim to enhance the protection and management of healthcare information. The rules are as follows:

Privacy Rule
This rule establishes standards to safeguard individuals’ medical records and personal health information, ensuring their confidentiality and proper handling.

Transactions and Code Sets Rule
It sets standards for electronic healthcare transactions and the associated code sets, promoting consistency and efficiency in the exchange of health information.

Security Rule
Focused on safeguarding electronic protected health information (ePHI), this rule outlines security standards and safeguards to protect the confidentiality, integrity, and availability of health information.

Unique Identifiers Rule
This rule establishes unique identifiers for healthcare providers, health plans, and employers, streamlining electronic transactions and ensuring accurate identification.

Enforcement Rule
Also known as the Compliance and Investigations Rule, it lays out procedures and penalties for the enforcement of the other four rules, aiming to ensure adherence to HIPAA regulations and safeguarding healthcare information.

For more information about the HIPAA Privacy Rule check out HHS.GOV HIPAA deep dive.

HIPAA Compliance Checklist

Here’s a simplified checklist to help you ensure adherence to the privacy rule:

Want to learn more?
Discover best practices for shaping your streaming data with Cribl Stream.