If you perform healthcare services in the United States, you'll need to abide by the Health Insurance Portability and Accountability Act (HIPAA). Originally signed into law by Congress in 1996, it's designed to protect the privacy of healthcare patients by establishing certain rules and requirements. The first step towards compliance, however, is to familiarize yourself with the common terms associated with HIPAA.
The Department of Health and Human Services (HHS) classifies covered entities as being either a healthcare provider, a health plan, or a healthcare clearing house who transmits the health information of their patients. Covered entities are required by law to comply with HIPAA and its respective rules.
Protected Health Information
Under the HIPAA Privacy Rule, Protected Health Information (PHI) is personally identifiable information that is created, stored and/or transmitted by a covered entity or one of its business associates. Examples of PHI may include a patient's name, home address, phone number, medical records, treatment history, Social Security number, etc.
Electronic Protected Health Information
The same as mentioned above, but in digital (not paper or oral) form. A digital PDF file of a patient's health record, for instance, is considered to be Electronic Protected Health Information (EPHI).
A business associate is another person or company who has access to the PHI of a covered entity. Doctors and other covered entities often outsource certain tasks to other companies. Assuming the other company has access to the doctor's PHI, it is considered a business associate and must abide by the rules of HIPAA.
Business Associates Agreement
As the name suggests, a business associates agreement (BAA) is a document which outlines the type of PHI to which the business associate has access, as well as the way in which the business associate can use it. When a covered entity hires or otherwise uses the services of a third-party – and that third party has access to its PHI – a business associates agreement must be created to comply with HIPAA.
This occurs when a covered entity or business associate has violated HIPAA but took steps to prevent the violation from occurring. The maximum fine for due diligence is $50,000 per violation, with an annual maximum fine of $1.5 million for repeat violations.
Reasonable cause is a type of HIPAA violation in which the covered entity or business associate took steps to prevent the violation but failed to address something. It has the same maximum fine as due diligence.