Skip to main content

HIPAA Considerations for Zeel Providers

Provider Knowledge BaseHIPAA and Information Security

HIPAA Considerations for Zeel Providers

In addition to providing therapeutic services and adhering to codes of conduct and ethics, every healthcare practitioner must understand and adhere to some crucial government regulations, starting with HIPAA compliance.

HIPAA and the HIPAA Privacy Rule

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law mandating the creation of national standards to prevent disclosure of sensitive patient health information without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA.

The HIPAA Privacy Rule was also designed to streamline digital access to patients’ health information for patient and provider alike. Adoption of this rule facilitated funding for the development of HIPAA-compliant software known as EHR (electronic health records) and for hospitals and other providers to purchase and implement EHR systems.

With the advent of EHR systems came a massive amount of regulations designed to protect data, provide physical security of that data, and protect electronic transactions. Central to these regulations is the use and disclosure of individuals’ health information—known as protected health information (PHI) and personally identifiable information (PII)—by entities subject to the Privacy Rule. These individuals and organizations are called covered entities. As a provider of healthcare services that are electronically billed to an insurance carrier, you are a covered entity.

The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used and handled. A major goal of the Privacy Rule is to ensure the protection of individuals’ health information while also allowing the flow of information needed to support a high-quality continuum of care. 

Remember that HIPAA violations can result in civil, monetary, or criminal penalties.

PHI and PII: What’s the Difference?

Personally Identifiable Information, or PII, is a general term that is used to describe any form of sensitive data that could be used to identify an individual. This term is not specific to HIPAA and is not regulated like PHI is. Some information considered to be PII is available in public sources such as telephone books or public websites.

Protected Health Information, or PHI, is any medical information that can potentially identify an individual that was created, used, or disclosed in the course of providing healthcare services, whether during diagnosis or treatment. PHI can include information about: 

  • The past, present, or future physical health or condition of an individual 

  • Healthcare services rendered to an individual 

  • Past, present, or future payment for the healthcare services rendered to an individual, along with any of the identifiers listed in the following section

What Type of Information is Considered PHI?

  • Names

  • Dates (excluding year)

  • Telephone numbers

  • Geographic data such as address

  • Fax numbers

  • Social Security numbers

  • Email addresses

  • Medical record numbers

  • Account numbers

  • Health plan beneficiary numbers

  • Certificate/license numbers

  • Vehicle identifiers and serial numbers, including license plates

  • Web URLs provided by the patient

  • Device identifiers and serial numbers

  • Internet protocol (IP) addresses

  • Full-face photos and comparable images

  • Biometric identifiers (e.g. retinal scan, fingerprints)

  • Any unique identifying number or code

  • Medical bills and billing statements

What is Considered a Misuse of PHI?

  • Keeping unsecured records containing PHI in unsecure  data platforms

  • Data breaches caused by telehealth or EHR vendors

  • Stolen or lost devices containing PHI, including USB drives, hard drives, laptops, or phones

  • Data breaches involving malware, phishing, or ransomware

  • Disposing of documents and files containing PHI in a way that allows for unauthorized future retrievals or misuse, such as leaving a document containing PHI in a trash can or improper disposal of a hard drive containing PHI

  • Lack of HIPAA training for employees who come into contact with PHI

  • Sending PHI to the wrong patient or address

  • Misusing social media

Covered Entities

Individuals and organizations subject to the HIPAA Privacy Rule—due to their creation, storage, or usage of patients’ health information—are called covered entities. They include the following categories:

Healthcare providers and practices: Every healthcare provider or practice who electronically transmits health information in connection with certain transactions, including:

  • Claims

  • Benefit eligibility inquiries

  • Referral authorization requests

  • Other transactions for which HHS has established standards under the HIPAA Transactions Rule

Health Plans: Insurance companies, third-party administrators, and other types of payers are covered under the HIPAA Privacy Rule. 

Healthcare Clearinghouses: Clearinghouses process information between different healthcare entity types (such as practices and insurers) and convert the information into standard formats to be distributed from one entity to another. Examples include: 

  • Processing electronic claims from providers to be sent to health plans

  • Processing electronic payments and remits to providers to keep patient accounts up to date

Business Associates: A business associate is any person or organization using or disclosing individually identifiable health information to perform or provide functions, activities, or services to a covered entity. Business associates are required to sign a Business Associate Agreement (BAA) prior to engaging in any activity that may divulge PHI. Examples of business associates include:

  • Claims processing clearinghouses

  • Billing or credit card processing companies

  • Vendors with access to patient records, such as patient messaging or marketing platforms

To comply with the HIPAA Security Rule, all covered entities must:

  • Ensure the confidentiality, integrity, and availability of all electronic PHI

  • Detect and safeguard against anticipated threats to the security of the information

  • Protect against anticipated impermissible uses or disclosures that are not allowed by the rule

  • Certify compliance by their workforce

Permitted Uses and Disclosures

The Privacy Rule permits important uses of information while protecting the privacy of people who seek care and healing. Practices like Zeel are also obliged to inform patients of any potential use of their health information via signed patient consent forms and distribution of Privacy Practices.

There is a specific and limited set of scenarios in which this information may be disclosed without patient authorization:

  • When required by law

  • When necessary to prevent or lessen a serious threat to health or safety

  • Public health activities

  • Protecting victims of abuse or neglect or domestic violence

  • Health oversight activities

  • Judicial and administrative proceedings

  • Law enforcement

  • Functions concerning deceased persons, such as identification

  • Cadaver organ, eye, or tissue donation

  • Research, under certain conditions

  • Essential government functions

  • Workers’ compensation

Covered entities—including Zeel and members of its provider network—should practice professional ethics and best judgment when considering requests for these permissive uses and disclosures. The HHS Office for Civil Rights enforces HIPAA rules. 

Reasonable Safeguards

A covered entity must instate appropriate administrative, technical, and physical safeguards that protect against uses and disclosures not permitted by the Privacy Rule, as well as limits to incidental uses or disclosures. 

Steps providers can take every day to protect individuals’ health information include:

  • Avoiding speaking about patients or conditions in public areas

  • Taking extra precautions to protect your electronic devices from theft and logging out or turning them off if you walk away from them in a public place

  • Providing additional security measures, such as two-factor authorization, on any electronic device or platform that holds personal information

The most essential protection of patient privacy is YOU. Awareness of what PHI and PII are, protecting that data, and reporting any incident to Zeel are all important responsibilities you hold as a provider in the Zeel network. If you ever witness, experience, or even suspect a breach of HIPAA compliance, we rely on you to inform us so we can take the necessary measures to protect both you and the individuals you treat.