Prevail Health
  • Introduction
  • What Is HIPAA
  • PHI and PII
  • Why all the fuss about HIPAA
  • HIPAA Entities
    • Subcontractors
    • Covered Entities
    • Business Associate Agreement (BAA)
  • Your Summary HIPAA Responsibilities
    • Security Key Contacts and Roles
    • System Access
    • Physical Access
    • Downloading PHI Data Locally
    • Incident Management
    • Sanctions
  • HIPAA Breaches
    • What does it mean for you
    • Expectations Vs Reality
  • Sections of HIPAA
    • HIPAA Rules
  • ASSESSMENT
    • HIPAA Knowledge Assessment
Powered by GitBook
On this page
  • HIPAA, at its highest level, is divided into 3 broad areas.
  • HIPAA Privacy Rule.
  • HIPAA Security Rule.
  • Administrative Simplification.

Was this helpful?

  1. Sections of HIPAA

HIPAA Rules

HIPAA, at its highest level, is divided into 3 broad areas.

HIPAA Privacy Rule.

This portion of HIPAA deals with protection, access, and authorization related to PHI. It sets rules for when and how PHI is disclosed. It also gives individuals ownership of their health records, as well as the right to access them and request corrections to them.

HIPAA Security Rule.

The Security Rule sets standards for the security of technology used to access, store, transmit, or process PHI. It is concerned with electronic PHI, or ePHI. It operationalizes much of the Privacy Rule. It’s not always prescriptive in how to secure technology, and some aspects are left to interpretation. This section of HIPAA is the most relevant to app developers from a practical standpoint. One additional thing to know is that certain implementation specifications laid out in the security rule are either required, meaning you have to do them, or addressable. Addressable specifications are ones in which an entity needs to either

1) implement the specific implementation as written,

2) implement an alternative specification, or

3) not implement anything for that specific requirement because it is not reasonable or necessary to do so. As with most things in HIPAA, the important thing is that decisions related to addressable specifications are documented.

A quick side note on documentation - as we alluded to earlier, HIPAA is not prescriptive. Therefore, the general approach has been one of being able to show that the risk of data leakage / breach has been mitigated to the extent possible and the steps taken to do so documented (and updated when changed). These reams of documentation are in place so that in case of a breach, companies can show the extent to which safeguards were implemented.

Administrative Simplification.

This area of HIPAA relates to the accepted coding for data exchanged in healthcare. The transactions this applies to are financial-related (claims, eligibility, enrollment, etc). As the name implies, the intent is to make it administratively easier to exchange data by not having to keep track of an endless number of code sets. The common code sets range from X12 or NCPDP (pharmacy-related) and include DRG, ICD, CPT, NDC, SNOMED-CT, and LOINC amongst others.

PreviousExpectations Vs Reality

Last updated 6 years ago

Was this helpful?