HIPAA database requirements – who needs to meet them?

A close up of a person

Description automatically generated

Privacy is important when it comes to personal data; this becomes doubly true when it comes to medical data that can be traced back to a patient. This is why a special Act– called the Health Insurance Portability and Accountability Act or HIPAA and passed in 1996 – was needed to ensure the protection of such data.

According to HIPAA, your business needs to be compliant if it comes under one – or more – of their “covered entities” or if it is a “business associate” that is connected with another such entity.

The main criterion for being included in the HIPAA list of entities and associates is the handling of Personal Health Information (PHI) and how it should be kept safe.

This means that if your business, or any other associated businesses you work with, handles health data that can be traced back to a particular individual it needs to be stored in a secure place that meets HIPAA database requirements.

And so, if your business aims to meet these requirements, the best time to make sure your data is stored securely in HIPAA compliant databases is today. In fact, you could start creating your own cloud database solutions that meet all the requirements right now.

Contact us now to learn more about how you can create your own HIPAA compliant databases in the cloud.

What are the HIPAA database requirements?

The HIPAA Privacy and Security Rules require that any business that deals with the PHI of individuals – whether directly or indirectly – needs to comply with the law. It also establishes the requirements for the “use, disclosures, and safeguarding” of health information that can be attributed to any single identity.

With that in mind, HIPAA focusses on four key aspects of the usage, transfer, and storage of PHI. These aspects are:

  • Privacy – ensuring the individual’s data is kept confidential
  • Security – ensuring the safekeeping of their data using physical, digital, and administrative measures/methods
  • Safeguarding unique identifiers – information like social security numbers and accounts are stripped of if, for example, the data needs to be collected for research and analytical purposes
  • Encryption – encoding all data that is transmitted, stored, and in use

The best way to cover these aspects is by using data storage solutions that meet the HIPAA database requirements.

What exactly is PHI data?

According to HIPAA Journal, there are distinct datasets that make up PHI. These datasets, grouped into five broad categories (with examples), are:

Unique identifiers

  • Names
  • Dates (except year)
  • Location data
  • Social Security numbers
  • Any other number or code that can be used to uniquely identify an individual

Communication information

  • Telephone numbers
  • FAX numbers
  • Email addresses

Record or account numbers

  • Medical record numbers
  • Account numbers – for any service
  • Health plan beneficiary numbers
  • Certificate or license numbers
  • Vehicle identifiers and serial numbers like license plates

Digital information

  • Website URLs
  • Device identifiers and serial numbers including IP addresses

Images and other medium

  • Photos and comparable images
  • Biometric data

It should be noted here that, although all identifiable health information could be considered to be PHI data, there are some exceptions. For example, if the health data is collected via wearable or mobile devices – think pulse rate, heartbeat rate, and distance travelled from a fitness or phone app – it is not considered to be PHI because it is not being harvested by “covered entities” or their “business associates.”

What are “covered entities” and “business associates”?

According to HIPAA, the businesses or enterprises that are “covered entities” include those which are directly involved with the capturing, storing, and processing of PHI:

  • Health care providers
  • Health plans
  • Healthcare clearinghouses

Examples: doctors’ offices, dentists, pharmacies, insurance companies

On the other hand, we have the “businesses associates” that are indirectly involved with the capturing, storing, and processing of PHI:

  • Support companies
  • Sub-contractors
  • Legal representatives

Examples: tech support, retained law offices, answering services, managed service providers (MSPs)

A special note about banks: until 2009, when HIPAA entities were revised, banks and other financial institutions that handled payments and transactions were exempt from complying with HIPAA database requirements. Not anymore, though; now they too need to use HIPAA compliant databases.

Your non-compliance can cost you dearly

The penalties for non-compliance are, quite understandably, pretty stiff and, if incurred, could really hurt a business and, in a worst-case-scenario, lead to some of them having to close shop for good.

HIPAA fines can reach up to $50,000 per violation, even if the infraction were unintentional. In case of willful neglect, the fines can go higher; even the first mistake could end up being a costly affair.

To date, the most expensive HIPAA fines have cost Advocate Health Care (AHC) 5.5 million dollars for losing the data of about 4 million patients. Meanwhile, New York Presbyterian Hospital and Columbia University had to fork over $4.8 million when the personal data of 6,800 individuals ended up on the Internet.

Keep your PHI safe – create a HIPAA compliant database today…

To be honest, with easy-to-use, low-coding cloud database design tools at your disposal, no one really has an excuse for not meeting the HIPAA database requirements.

Learn how you can own a secure data storage solution – a HIPAA compliant database – in a short time, contact us.