What Does HIPAA Protect?

  Did you go into health care with the goal of working with people and helping them get healthy? That's a great reason to, but you also need to understand and follow HIPAA. What does HIPAA protect? It covers a lot of things related to health care. Keep reading to learn more about HIPAA protection.

What HIPAA Covers

When wondering, "what does HIPAA protect," you should consider that it protects many things. The biggest category that it covers is protected health information (PHI). HIPAA classifies multiple pieces of information as PHI. Some common ones include names, medical dates, phone numbers, and email addresses. PHI also includes full face photographic images and biometric identifiers, like fingerprints. Account numbers, health insurance beneficiary numbers, and account numbers also fall under PHI. No matter the form, HIPAA protection ensures this information stays safe. Consider a few forms when HIPAA protection applies.

Paper Records

If you have any print records for your patients, those fall under the HIPAA Privacy Rule. You need to restrict access to the people who need it to do their jobs. While many providers use electronic systems, some still use paper. If you need to copy a patient's ID or health insurance card, that would be a paper record. Paper records can be hard to protect without the right filing system. However, it's essential that you do keep patient records confidential. A HIPAA refresher course can help you ensure you keep these records safe.

Electronic Records

Electronic health records (EHR) make it easier for providers to view, edit, and track patient care. You don't need to have the specific file on hand when talking to or about a patient. However, HIPAA does protect electronic records. What does HIPAA protect with electronic files? It works similarly to the protection of paper files. The biggest difference is that you need to use technological tools to protect the information. You can implement usernames and passwords and grant specific users access to patient files. In some ways, protecting electronic records is easier than paper. But you still have to make sure you follow HIPAA when protecting electronic files.

Spoken Information

You also need to protect what you say relating to PHI. While some providers need to talk with colleagues about patient care, HIPAA protects the spoken word. You'll need to speak about patients in a private room with people who can access the information. That can include other providers, but it can also cover patients and a parent or guardian when the patient is under 18. Make sure your patient rooms don't allow for anyone to hear inside. If an adult patient has a guest, you should make sure that the patient is okay with the guest being present. Then, you can offer quality care while following HIPAA.

Security Standards

While HIPAA protects patient privacy, it also has standards for how you should secure patient information. The Security Rule covers electronic records, so it affects PHI in any electronic form. However, it does not apply to written or oral PHI. Still, it's important to know the security standards that you need to follow to comply with HIPAA.

Administrative Safeguards

The first type of security standard covers administrative tasks. You should designate a security official to create and carry out the safeguards. They can then create a security management process. The process should identify and analyze potential data risks and use security measures to reduce those risks. HIPAA also requires that covered entities train and manage employees who work with electronic records. Employees should only access the information when necessary. The last part of administrative safeguards is to evaluate them. Review your processes regularly to see what is working and what you can change.

Technical Safeguards

Technical safeguards are also important when working with electronic PHI. One example of this is to require a username or some other identification to access PHI. That can help health care organizations restrict who can access what. You should also use audit controls that track when people access PHI so that you can know when someone is accessing it unnecessarily. Security is also important when transmitting data, such as to an insurance company. You can use something like an encrypted network. The last technical safeguard should keep data from being altered or destroyed. You should use electronic measures to protect data from such changes when managing or sending it.

Physical Safeguards

Physical safeguards focus on protecting the hardware that houses electronic records, such as the computers and the facility. You should make sure that workstations have protection methods, such as an automatic logout. Having a computer's screen turn off after some inactivity can also keep unauthorized users from getting into the computer and seeing confidential information. It's also important to consider how to restrict access to the area. Using keys or keycards can keep the area available only to people who need to use the computers and equipment in that area.

What HIPAA Doesn't Cover

While HIPAA covers a lot, it doesn't cover everything. Knowing what HIPAA does and doesn't cover can help you ensure you comply with the law. Whether you're a health care provider or a medical office staff member, you should consider what HIPAA doesn't protect. That way, you can help your coworkers follow HIPAA.

De-Identified Information

De-identified information refers to PHI that you can't attach to one person. It can refer to medical records and diagnoses, but you can't get too specific with it. Stripping health records of names, addresses, and other identifiers means it doesn't require HIPAA protection. This is what allows for collecting public health data and surveys. People collecting the data should follow HIPAA when working with individuals. As long as they make the data very generic, they can release it or talk about it without following HIPAA.

Employee Records

When you work for a medical office, they will have records of you on file, even if you aren't a patient. However, your employee records are not subject to HIPAA protection. You aren't that facility's patient, so they don't need to use the same standards and rules to protect it. Now, that doesn't mean your employer is talking about your paystubs or other information. But anyone who deals with it, like accountants or HR employees, doesn't have to follow HIPAA and isn't covered under it. Still, it can help for the entire office to understand the basics of HIPAA.

Who HIPAA Covers

If you know "what does HIPAA cover," you should also know who it covers. While the law doesn't protect people the same way it does data, certain groups of people use or follow HIPAA. Consider how you fall into the group of covered entities. That way, you can take steps to protect patient data.


Patients are not part of HIPAA-covered entities, but the law does protect them. Personal data is important to everyone, and it's up to you to secure your patient information. You need to get a signature from any new patient stating that they agree to your privacy practices. Then, you can follow HIPAA, and your patient can understand how you comply with the law. HIPAA protects patients' right to privacy, and that should be one of your main priorities when providing care. If you need to bring in another provider to watch or help you, you should ask your patient so that they are comfortable with the situation.

Health Care Providers

As a health care provider, you are a covered entity under HIPAA. You can qualify as an individual, and so can your organization or company. Anyone providing care that needs access to PHI is covered. But consider a few examples:

  • Nurses
  • Doctors
  • Dentists
  • Pharmacists
  • Chiropractors
  • Nursing homes
  • Clinics

If you or your employees care for patients, you are probably covered under HIPAA. That means you need to stay up to date with HIPAA so that you can comply with it.

Health Plans

Health plans refer to any plan that offers health care coverage to individuals and families. Of course, there's the common employer-sponsored health insurance, which falls into this category. Private health insurance for individuals is also covered under HIPAA. Health maintenance organizations (HMOs) also qualify and must follow HIPAA rules. HIPAA also covers government health programs, such as Medicare, Medicaid, and military and veterans' health programs. If you have health insurance, your insurer may need to access your PHI for billing and care, so they need to follow the law.

Health Care Clearinghouses

A health care clearinghouse is an organization that processes health information. These companies work with providers and insurers to make sure the data conforms to certain standards. That way, providers and insurers can send information back and forth. Because health care clearinghouses deal with PHI, they need to follow the same rules as other covered entities. They can be an essential part of providing care for patients and ensuring correct billing. Without a clearinghouse, it may be impossible for providers and insurers to process health care claims, making the system harder for everyone.

Business Associates

In a health care office, some business associates are covered under HIPAA. A business associate is covered if that individual has to work with PHI. Example functions include claims processing, quality assurance reviews, or data analysis. Anyone providing these functions for your organization must comply with HIPAA when dealing with PHI. So anyone providing financial, consulting, or management services will need to comply. That way, everyone can do their jobs without sacrificing patient safety. Even though associates aren't working directly with patients, they need to offer the same care and attention as a doctor or nurse. Then, the entire organization can keep patient information safe.

Who HIPAA Doesn't Cover

HIPAA applies to a lot of people in the health care field. While an accountant doesn't spend their day seeing patients, they still need to understand HIPAA guidelines when running the books for a hospital or clinic. Still, HIPAA doesn't cover everyone. Consider a couple of scenarios where HIPAA doesn't apply.

Business Associates

Any business associate that doesn't work with PHI doesn't need to follow HIPAA guidelines. This could include someone like an intern or someone working from a separate office rather than the clinic. If an accountant only works with the hospital's expenses, they wouldn't need to follow HIPAA either. The same is true of a marketing assistant as long as the marketing campaign doesn't use PHI. If you're unsure if a business associate is covered, assume they are. That way, you can be safe rather than sorry. You can have all of your business associates study HIPAA so that they know what to do at work.

Anyone Else Performing Non-Covered Functions

Anyone in your company who doesn't perform covered functions won't be covered under HIPAA. As mentioned, this can include things like accounting and marketing. If you hire a security guard for the facility, they may not need HIPAA training. As long as the guard stays in the waiting room and away from the reception desk, they may not need to follow HIPAA.

Why HIPAA Compliance Matters

Whether or not everyone in your organization is a covered entity, HIPAA compliance is essential. Not complying with the law can compromise things like patient protection. When working with a patient, they need to trust you and your office. That way, you can work with your patient to find the right treatment for them. Not complying with HIPAA can also result in high fines for employees or the organization. Some organizations have had to pay millions of dollars for not following HIPAA protection requirements. And even if you don't face a high fine, you can also damage your trust with patients and the public. Then, it can be hard to get new patients or keep existing ones.

What Does HIPAA Protect?

HIPAA does many things, and it's crucial for health care providers to understand the law. And that includes knowing the answer to what does HIPAA protect? HIPPA protects patients and their data. When providers follow the law, they can build trust with their patients and offer the best care possible. Do you need to review your knowledge of HIPAA? Enroll in one of our courses today.

For 2021 Guidelines for Healthcare Workers, please click here. For 2021 Guidelines for Business Associates, please click here.