HIPAA. The Health Insurance Portability and Accountability Act. (That’s two “A”s, if you’re keeping track at home.)
HIPAA is as convoluted as it sounds. It’s an act of congress regulating a third of the world’s largest economy. So of course it is! And whether you’re a health-tech founder, run a medical clinic, or just need to get in for your first annual checkup in a decade, HIPAA is part of your life.
Over the next few weeks we’ll be talking about the Health Insurance Portability and Accountability Act, delving its mysteries, uncomplexifying its complexity. It will be more fun than it sounds.
There’s a lot to digest. so let’s start with some low-hanging fruit.
HIPAA has become a buzz word that few understand but many toss about. In the sports world, for instance, when NFL owner and friend of the firm Jerry Jones (jk) leaned into a hot mic with a monologue on a player’s medical history you may have heard a faint shout of “HIPAA!” from the data-protection-when-it’s-convenient warriors in the back row. Keyboard commandos laid siege on Twitter exclaiming out Jerry’s HIPAA violation.
But was it really?
Instances like these have created misconceptions about what HIPAA is and who it applies to. Let’s set the record straight.
HIPAA was enacted in 1996 with two main goals. To facilitate the flow of patient medical information between providers and payers. And—because transmission creates risk—to protect that information from falling into the wrong hands.
The critical takeaway is that HIPAA was enacted primarily to encourage information sharing not to protect privacy. By providing nationally standardized rules for data transmission HIPAA facilitated creation of a medical-information highway. As a side effect it also created an entirely new compliance industry. Because of HIPAA, patients can share medical information between providers and providers can share information with payers all without having to jump through too many hoops. At least that’s the theory.
The biggest misconception about HIPAA is who it applies to. It’s not patients. Or owners of football teams. HIPAA applies to covered entities and their business associates. Covered entities are hospitals, health-insurance companies, and most types of medical practices. Business associates are any person or entity that works with, but not for, a covered entity and through that relationship comes into contact with protected health information of a medical patient.
So did Jerry Jones violate HIPAA or infringe his player’s HIPAA rights when he hot mic’d that medical-history monologue? Nah. (But it still wasn’t cool.)
Okay, so, why should you care?
If you or your business works with someone in the medical field or even medical field adjacent, there is chance you could come into contact with protected health information, bringing you into the grasp of HIPAA. We see it with tech platforms that may host PHI. We see it with marketing agencies that probably won’t but may have access to a provider’s PHI.
And violations of HIPAA have serious consequences: investigations by the Office of Civil Rights, Department of Justice, and now state attorneys general (courtesy of the HITECH Act—more on that another time). Investigations can lead to civil and criminal penalties and monetary fines. Many of these investigations end with a settlement, but the major burden of a violation is undergoing investigation, or even three investigations at once—keeping you away from running your business.
To avoid these burdensome investigations, HIPAA requires certain safeguards in place to eliminate the possibility of unauthorized disclosures of protected health information. Among them, covered entities and their business associates must sign a “business associate agreement” that governs the exchange of protected health information between the parties.
There’s a lot more here, so stay tuned for future installments where we dig into these BAAs and other safeguards required for HIPAA compliance.