Sign up

Webmedy Blog

What is HIPAA for Healthcare?

April 14, 2020 - by Parul Saini, Webmedy team

HIPAA is for Health Insurance Portability and Accountability Act. Declared in 1996 HIPAA is a federal rule that establishes a national standard to preserve medical records and other personal health data.

The HIPAA laws apply to:

  • Health Plans
  • Health Care Clearinghouses (Things that promote electronic transactions by "translating" data among health plans and providers when they practice non-compatible information systems.)
  • Health Care Providers who give health information in electronic form in combination with one or more of the eight protected transactions.

Business associates of a protected entity are not openly controlled by the laws, but necessary contracts require them to protect the privacy of personally identifiable information. It is an act that gives security requirements and data privacy, to put patients' medical data safe.

Five titles of the Act

  • Title I: HIPAA Health Insurance Reform

    This aims to preserve coverage of health insurance for those who have switched or lost their jobs. It limits group health plans from denying to cover people who have pre-existing illnesses or conditions and prevents them from establishing limits for life coverage.
  • Title II: HIPAA Administrative Simplification

    This points to lead the United States Department Of Human Services and Health to regulate the processing of electronic healthcare transactions globally. It needs the systems to achieve a safe electronic introduction to the patients' health information, dwelling in agreement with the privacy laws which were established by the HHS.
  • Title III: HIPAA Tax-Related Health Provisions

    This is linked to tax-related provisions, as well as common medical care guidelines.
  • Title IV: Application and Implementation of Group Health Plan Requirements

    This represents a further improvement in health insurance, including plans for those who have pre-existing illnesses or diseases, and somebody who is requesting sustained coverage.
  • Title V: Revenue Offsets

    This includes terms connected with company-owned insurance and the medical care of those who are lacking their citizenship for income tax reasons.

Authority to access your PHI

The Privacy Rule needs medical providers to give people access to their PHI. After an individual demands data in writing (typically utilizing the provider's form for this purpose), a provider has up to 30 days to give a copy of the data to the person. A person may demand the information in an electric form or hard-copy, and the provider is committed to trying to agree to the demanded format. For providers employing an electronic health record (EHR) system that is verified using CEHRT (Certified Electronic Health Record Technology) standards, people must be enabled to get the PHI in electronic form.

Electronic Data Interchange (EDI)

These laws are known as the Transaction Code Set Standards. The ultimate rules for EDI and Code sets were executed on October 16, 2003. Many of the transaction management standards are yet under analysis and have not been declared. The goal of these regulations is to regulate the electronic interchange of information (transactions) among trading partners. These activities are mandated to be in the ANSI ASC X12 variant 4010 formats.

HIPAA Code Set

The HIPAA Code Set Regulations set a uniform standard of data components applied to document reasons why patients are examined and the methods performed during health care appointments. Analyses - ICD 9/10; Procedures - CPT 4, CDT; Supplies/Devices - HCPCS; Additional Clinical Data - Health Level Seven (HL7). HIPAA detailed administrative codes established for use in connection with certain transactions and HIPAA ejected state-specific local codes.


These laws set rules for preserving individually identifiable health information and for ensuring the rights of individuals to have more authority over such information. Privacy rules represent the rights of individuals and safety rules describe the method and technology needed to assure privacy.


These laws set standards for the security of electronically guarded health information (PHI). It sets out three types of security safeguards needed for compliance: administrative, physical, and technical. The following are the standards and specifications:

  • Administrative Safeguards

    This includes policies and procedures intended to simply show how the entity will comply with the act of:

    • Covered entities (entities that are under HIPAA) must use a written set of privacy plans and assign a privacy officer to be answerable for promoting and implementing all needed policies and methods.
    • Plans should recognize employees or classes of employees who have access to electronically protected health information (EPHI). Access to EPHI must be limited to only those employees who require it to complete their job role.
    • Authorization, establishment, modification, and termination must be addressed by the procedure.
    • Entities must show that a proper ongoing training program concerning the treatment of PHI is given to employees working health plan administrative functions.
    • The instructions for addressing and responding to security breaches that are recognized both while the audit or the normal course of operations should be documented in the procedure.
  • Physical Safeguards

    • Managing physical access to guard against improper access to protected data
    • Monitored and controlled access to the equipment having health information.
    • Only authorized persons must be allowed to access hardware and software.
    • Workstations should not be in a high traffic area and monitor screen should be removed from the direct view of the public. Rules are needed to address the correct use of the workstation.
    • If the covered entities employ contractors or agents, they too must be fully prepared on their physical access duties.
  • Technical Safeguards

    • Regulating access to computer systems and allowing covered entities to protect communications holding PHI transmitted electronically across open networks from being blocked by anyone other than the designated person.
    • Information systems covering PHI must be guarded against intrusion. When data flows across open networks, some form of encryption must be used. If closed systems/networks are used, current access controls are supposed adequate and encryption is optional.
    • Every covered entity is responsible for assuring that the data within its systems has not been modified or deleted in an unauthorized way.
    • Checksum, double-keying, message authentication, and digital signature must be used to assure data integrity.
    • Information technology documents must include a written record of all configuration settings of all parts of the network as these parts are complicated, configurable and keep changing.

National Provider Identifiers (NPI)

These laws set the standard individual health identifier for health care providers to clarify administrative processes, such as referrals and billing, to advance the efficiency of data, and decrease costs. The NPI replaces all other identifiers used by health plans, Medicare, Medicaid, and other government programs. But, the NPI does not substitute a provider's DEA number, state license number, or tax identification number. The NPI is 10 digits (may be alphanumeric), with the last digit holding a checksum. The NPI cannot include any enclosed intellect; in other words, the NPI is just a number that does not itself have any further meaning.

Fines for Failure to Comply with HIPAA

The law brings heavy civil and criminal fines for negligence to comply. US DHHS Office for Civil Rights will impose civil fines that may involve fines from $100 per breach to $25,000 per calendar year. US Department of Justice will impose criminal penalties which may add up to 10 years of confinement and a $250,000 penalty.

Related Posts

Seeing is Believing.

Sign up for a free account and start your trial.

No payment information required.

Contact Us

Ardinia Systems Pvt. Ltd.
C 15, C Block Road, C Block,
Sector 65, Noida, U.P 201301, India.
© 2021 Ardinia Systems Pvt Ltd. All rights reserved.
Privacy Policy|Terms of Use
Webmedy is a product from Ardinia Systems.