HIPAA Considerations for Zeel Providers
In addition to providing therapeutic services and adhering to codes of conduct and ethics, every healthcare practitioner must understand and adhere to some crucial government regulations, starting with HIPAA compliance.
HIPAA and the HIPAA Privacy Rule
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law mandating the creation of national standards to prevent disclosure of sensitive patient health information without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA.
The HIPAA Privacy Rule was also designed to streamline digital access to patients’ health information for patient and provider alike. Adoption of this rule facilitated funding for the development of HIPAA-compliant software known as EHR (electronic health records) and for hospitals and other providers to purchase and implement EHR systems.
With the advent of EHR systems came a massive amount of regulations designed to protect data, provide physical security of that data, and protect electronic transactions. Central to these regulations is the use and disclosure of individuals’ health information—known as protected health information (PHI) and personally identifiable information (PII)—by entities subject to the Privacy Rule. These individuals and organizations are called covered entities. As a provider of healthcare services that are electronically billed to an insurance carrier, you are a covered entity.
The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used and handled. A major goal of the Privacy Rule is to ensure the protection of individuals’ health information while also allowing the flow of information needed to support a high-quality continuum of care.
Remember that HIPAA violations can result in civil, monetary, or criminal penalties.
PHI and PII: What’s the Difference?
Personally Identifiable Information, or PII, is a general term that is used to describe any form of sensitive data that could be used to identify an individual. This term is not specific to HIPAA and is not regulated like PHI is. Some information considered to be PII is available in public sources such as telephone books or public websites.
Protected Health Information, or PHI, is any medical information that can potentially identify an individual that was created, used, or disclosed in the course of providing healthcare services, whether during diagnosis or treatment. PHI can include information about:
The past, present, or future physical health or condition of an individual
Healthcare services rendered to an individual
Past, present, or future payment for the healthcare services rendered to an individual, along with any of the identifiers listed in the following section
What Type of Information is Considered PHI?
Names
Dates (excluding year)
Telephone numbers
Geographic data such as address
Fax numbers
Social Security numbers
Email addresses
Medical record numbers
Account numbers
Health plan beneficiary numbers
Certificate/license numbers
Vehicle identifiers and serial numbers, including license plates
Web URLs provided by the patient
Device identifiers and serial numbers
Internet protocol (IP) addresses
Full-face photos and comparable images
Biometric identifiers (e.g. retinal scan, fingerprints)
Any unique identifying number or code
Medical bills and billing statements
What is Considered a Misuse of PHI?
Keeping unsecured records containing PHI in unsecure data platforms
Data breaches caused by telehealth or EHR vendors
Stolen or lost devices containing PHI, including USB drives, hard drives, laptops, or phones
Data breaches involving malware, phishing, or ransomware
Disposing of documents and files containing PHI in a way that allows for unauthorized future retrievals or misuse, such as leaving a document containing PHI in a trash can or improper disposal of a hard drive containing PHI
Lack of HIPAA training for employees who come into contact with PHI
Sending PHI to the wrong patient or address
Misusing social media
Covered Entities
Individuals and organizations subject to the HIPAA Privacy Rule—due to their creation, storage, or usage of patients’ health information—are called covered entities. They include the following categories:
Healthcare providers and practices: Every healthcare provider or practice who electronically transmits health information in connection with certain transactions, including:
Claims
Benefit eligibility inquiries
Referral authorization requests
Other transactions for which HHS has established standards under the HIPAA Transactions Rule
Health Plans: Insurance companies, third-party administrators, and other types of payers are covered under the HIPAA Privacy Rule.
Healthcare Clearinghouses: Clearinghouses process information between different healthcare entity types (such as practices and insurers) and convert the information into standard formats to be distributed from one entity to another. Examples include:
Processing electronic claims from providers to be sent to health plans
Processing electronic payments and remits to providers to keep patient accounts up to date
Business Associates: A business associate is any person or organization using or disclosing individually identifiable health information to perform or provide functions, activities, or services to a covered entity. Business associates are required to sign a Business Associate Agreement (BAA) prior to engaging in any activity that may divulge PHI. Examples of business associates include:
Claims processing clearinghouses
Billing or credit card processing companies
Vendors with access to patient records, such as patient messaging or marketing platforms
To comply with the HIPAA Security Rule, all covered entities must:
Ensure the confidentiality, integrity, and availability of all electronic PHI
Detect and safeguard against anticipated threats to the security of the information
Protect against anticipated impermissible uses or disclosures that are not allowed by the rule
Certify compliance by their workforce
Permitted Uses and Disclosures
The Privacy Rule permits important uses of information while protecting the privacy of people who seek care and healing. Practices like Zeel are also obliged to inform patients of any potential use of their health information via signed patient consent forms and distribution of Privacy Practices.
There is a specific and limited set of scenarios in which this information may be disclosed without patient authorization:
When required by law
When necessary to prevent or lessen a serious threat to health or safety
Public health activities
Protecting victims of abuse or neglect or domestic violence
Health oversight activities
Judicial and administrative proceedings
Law enforcement
Functions concerning deceased persons, such as identification
Cadaver organ, eye, or tissue donation
Research, under certain conditions
Essential government functions
Workers’ compensation
Covered entities—including Zeel and members of its provider network—should practice professional ethics and best judgment when considering requests for these permissive uses and disclosures. The HHS Office for Civil Rights enforces HIPAA rules.
Reasonable Safeguards
A covered entity must instate appropriate administrative, technical, and physical safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as well as limits to incidental uses or disclosures.
Steps providers can take every day to protect individuals’ health information include:
Avoiding speaking about patients or conditions in public areas
Taking extra precautions to protect your electronic devices from theft and logging out or turning them off if you walk away from them in a public place
Providing additional security measures, such as two-factor authorization, on any electronic device or platform that holds personal information
The most essential protection of patient privacy is YOU. Awareness of what PHI and PII are, protecting that data, and reporting any incident to Zeel are all important responsibilities you hold as a provider in the Zeel network. If you ever witness, experience, or even suspect a breach of HIPAA compliance, we rely on you to inform us so we can take the necessary measures to protect both you and the individuals you treat.