The Health Insurance Portability and Accountability Act (HIPAA) is a US law that establishes requirements for processing protected health data.
Institutions that collect or process these data in the USA and their subcontractors must comply with HIPAA if they want to avoid sanctions. For European companies in particular, HIPAA is a regulation that is difficult to understand and hard to keep track of.
This article will give you an overview of it and help you avoid common misunderstandings and false assumptions, making it easier to get to grips with the act.
The Health Insurance Portability and Accountability Act (HIPAA) is a US law that added Parts 160, 162, and 164 to Title 45 of the Code of Federal Regulations, or amended them.
It is comparable to the German Digitale-Versorgung-Gesetz, which amended a lot of laws and codes, e.g., SGB V.
The texts of HIPAA are difficult to understand. This is due to
The US Department of Health & Human Services has provided an unofficial consolidated version of the act.
The first version of HIPAA was passed in 1996. Since then, it has been amended and supplemented numerous times.
HIPAA has three parts:
Part 164 establishes requirements for the protection of electronically processed health information and for the procedure to follow if that protection has been breached.
We often talk about HIPAA Rules. These are not additional requirements but, in fact, correspond to certain parts of the act:
Part 160 and Part 164: Subparts A and C
Strictly speaking, data protection is part of the next rule.
Part 160 and Part 164: Subparts A and E
Part 160: Subparts C, D, E
Official authority enforcement rights and obligations
Breach Notification Rule
Part 164: §§ 164.400-414
Breach reporting obligations
This is another amendment to HIPAA included in the 2013 HITECH Acts. It concerns contracts with business partners such as cloud service providers.
In these parts, HIPAA establishes:
According to the definition provided, health information is only information that is created or received by certain organizations.
health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse
Source: 45 CFR part 160,103
What is meant by “health plan” is also clarified in a definition:
an individual or group plan that provides, or pays the cost of, medical care (as defined in section 2791(a)(2) of the PHS Act, 42 U.S.C. 300gg-91(a)(2)) […]”
Source: 45 CFR part 160,103
This means that neither software manufacturers nor cloud service providers fall under this definition. However, a manufacturer’s software must meet the above requirements if he wants his software to be used by the institutions named.
A service provider, such as a cloud service provider, is considered one of the “business associates” who are subject to the same requirements as the above organizations.
HIPAA refers to protected health information (PHI). This is similar to what the GDPR calls personal data. Examples include names, contact details, identifying numbers, medical data (the GDPR calls this “data concerning health”), photos and invoices.
Like European laws and regulations such as the GDPR and the BSI guidelines, HIPAA requires technical and organizational measures.
Some of these measures result in infrastructure and IT system requirements:
A lot of the measures are organizational in nature. For example:
Just as software cannot be ISO 13485, IEC 62304 or GDPR-compliant, it cannot claim to be HIPAA-compliant or even HIPAA-certified.
However, software can offer all the conditions required for a manufacturer to achieve HIPAA compliance. For example, if the software does not allow data encryption, HIPAA-compliance would not be possible. Hence, there is no HIPAA-certification for products.
Strictly speaking, there is no such certification for organizations. However, there are companies/organizations that conduct audits and then issue a certificate. But this is not based on an official accreditation..
Sometimes the term HIPAA certification is used in the context of personal certifications. This means that an individual has passed an exam where they demonstrated their HIPAA competency.
HIPAA is often understood as being the US’s health data protection requirements.
This idea is not wrong, but it's not the whole picture. As the name of the act suggests, it also concerns the “portability” of data, i.e., interoperability.
However, these requirements are so high level that they cannot beused to create a specification for interfaces. At least, HIPAA already specifically mentions semantic standards such as the ICD-9-CM catalog for diagnoses and treatments and CPT codes for services such as laboratory and radiology.
Both HIPAA and the GDPR are laws relating to data protection. However, they differ in many respects:
There is a lot of money to be made from HIPAA. So, be careful about where you get your information from. A good place to start is the official website of the US Department for Health and Human Services (HHS).
The requirements of HIPAA are very broad and go beyond data protection. Whether it is wise to mix such disparate aspects is another matter.
Anyone who already has certification, e.g., according to ISO 27001 or BSI, has (almost) completely fulfilled HIPAA’s data protection/IT security requirements.
Conformity can only be achieved through organizational and technical measures, ideally through an IT security management system.
HIPAA should hold no terrors for BSI or ISO 27001-certified organizations. However, the US authorities consistently crack down on breaches.