Skip to main content

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal standard specifically designed to secure protected health information (PHI). Regulated by the Office for Civil Rights, HIPAA outlines the permissible use and disclosure of PHI in the USA as set forth by HHS guidelines. 

 

HIPAA compliance around security and technology maintains a sizeable mind share within the MSP community as the healthcare industry is both technology dependent and ranges in size from large medical organizations and hospitals on the enterprise side on down to small doctor and dental offices on the SMB side and everything in between.

Regardless of the size of organization, PHI data and the systems processing PHI data must be scoped, secured and protected. 

First off, what is considered PHI data? The detailed definition is below but at a high level it would be any data that would identify a patient or individual. The good news is that if PHI data is encrypted it is considered protected and breach of encrypted data if it cannot be decrypted would not trigger breach notification rules! So encrypt all PHI and sleep well at night! 

PHI stands for "Protected Health Information"  and refers to any individually identifiable health information that is transmitted or maintained by a covered entity or its business associates, in any form or medium, whether electronic, paper, or oral.

Protected Health Information includes demographic information, medical history, test results, insurance information, and other data that can be used to identify an individual and is related to their past, present, or future physical or mental health or condition, provision of health care to the individual, or payment for the provision of health care.

HIPAA regulations set forth strict guidelines for the use and disclosure of PHI to ensure patient privacy and confidentiality. Covered entities, such as health care providers, health plans, and health care clearinghouses, must comply with HIPAA requirements to safeguard PHI and protect patient rights.

 

ControlMap has supported HIPAA’s Security Objectives since 2022 but has recently expanded the framework support to also include: 

New: HIPAA’s Breach Notification Requirements: https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html 

New: HIPAA’s Privacy Rule Objectives: https://www.hhs.gov/hipaa/for-professionals/privacy/index.html

Existing: HIPAA’s Security Rule Objectives: https://www.hhs.gov/hipaa/for-professionals/security/index.html

Thanks for getting that in there. 

I am going to put in an couple of enhancement requests. 

First one is on privacy. BA (business Associates) don’t need to comply with 90% of the privacy rules, mostly the administrative (you need policies, 6 year data retention) and rules that say ‘For Business Associates’ and you can ignore the privacy rules that say ‘A covered entity …..’

it should act similar to the CIS (where you can mark out of scope ‘CA’ and for CAs, ‘BA’ for BAs (some cross over)  they don’t need rules marked for BAs, unless they HAVE BA’s (and then they need to comply with the things for agreements)


Reply