
What is PHI Under HIPAA? Requirements for Compliance
Read articleThe Health Insurance Portability and Accountability Act (HIPAA) of 1996 established standards for protecting the security and privacy of sensitive patient data. The law applies to covered entities and their business associates.
But there’s a simpler way to answer the question: do I need to be HIPAA compliant?
If your organization creates, stores, processes, or transmits protected health information, you must adhere to HIPAA regulations.
Under HIPAA, protected health information — commonly referred to as PHI — includes any personal data that can be directly or indirectly linked to a specific individual.
HIPAA rules apply to both covered entities and business associates, but the way the law is administered varies slightly based on which category an organization falls into.
What is PHI Under HIPAA? Requirements for Compliance
Read articleCovered entities include:
Business associates are individuals or organizations that provide services on behalf of a covered entity and also interface with PHI or ePHI. Examples of business associates include:
Consultants employed by a covered entity are considered part of that covered entity’s workforce and are not considered business associates.
The HIPAA Privacy Rule requires that covered entities get “satisfactory assurances” from business associates that they will take the necessary steps to safeguard any protected health information they may receive or create on behalf of the covered entity. These assurances must be made in writing in the form of a Business Associate Agreement (more on BAAs below).
Business associates may only use protected health information for the express purposes defined by the covered entity. They must also protect that information from misuse by following the requirements laid out in the HIPAA Privacy Rule. Business associates are responsible for ensuring any subcontractors also agree to comply with HIPAA rules in the form of a BAA.
If a covered entity discovers that a business associate has suffered a data breach or otherwise mishandled PHI, they must take reasonable steps to address the breach and end the HIPAA violation —or terminate their contract with the business associate. If none of those steps are possible, the covered entity is required to report the issue to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
Business Associate Agreements define the business associate’s responsibilities regarding PHI and the steps they will take to comply with HIPAA rules. These agreements include a few key elements:
Use this template as a starting point for your business associate agreement and customize it to fit your needs.
DownloadThere are some situations where covered entities are not required to have a business associate agreement in place before disclosing PHI. These include: