What Public Health Agencies Need To Know About HIPAA

07/26/2019 By Wilson

Are you confused about HIPPA and how it can affect your public health agency? You’re not alone. HIPPA can be difficult to navigate when you’re working for yourself. In an era where healthcare records are increasingly being maintained online and by using the cloud, compliance with the Health Insurance Portability and Accountability Act (HIPAA) is becoming more important than ever to keep information from becoming vulnerable.

Working in healthcare will usually require searching through a lion's share of sensitive personal information (PHI) and if you handle any sensitive data, following the established HIPAA guideline in the ever-growing world will ensure appropriate and consistent security, accessibility and confidentiality. It’s vital to know what your public health agency needs to do to comply with federal regulations for protecting patient information.

The U.S. Department of Health & Human Services established the HIPAA rules to ensure that PHI remained confidential and is disclosed only as needed for patient care. These rules also critically arm the patient with rights to their own personal information and provide safeguards for health care providers and other covered organizations.


What is HIPAA?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. HIPAA requires that any information is delivered through electronic devices, paper, or orally, it must be protected from any unauthorized entity.

HIPAA is comprised of five titles. They are:

●     Title I: Regulates access and availability to health care plans. It also covers portability and renewability of coverage. For instance, this title regulates how group insurance plans can handle new enrollees with preexisting conditions.

●     Title II: It includes the Privacy Rule and regulates how you may share Protected Health Information (PHI) with covered entities, such as insurers or health care clearinghouses.

●     Title III: which handles medical savings accounts (MSA) and standardizes how much an individual can save for such accounts.

●     Title IV: which focuses on how group health plans can be applied and enforced.

●     Title V: which regulates tax deductions for employers related to life insurance premiums.


What is PHI?

PHI stands for Protected Health Information. This refers to 18 specific HIPAA identifiers that can be traced back to any of your clients. PHI includes the following identifiers:

  1. Name
  2. Location
  3. Personal dates related to client but does not include year
  4. Phone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security number
  8. Medical record number
  9. Health insurance plan beneficiary number
  10. Account numbers
  11. License or certificate numbers
  12. Vehicle numbers (license plate number)
  13. Device numbers
  14. Web URL
  15. Internet Protocol (IP) address
  16. Biometric identifiers (fingerprint, voice, retinal scans)
  17. Photograph (not limited to face)
  18. Any other distinct identifying characteristic, number, or code


Am I Required to Keep a Record of PHI Disclosures?

Yes. It’s important you keep on file any signed PHI disclosures. Come up with a standard privacy policy for your health agency that reflects the HIPAA Privacy Rule and shares this policy with your clients before meeting with them. Your client should be notified of how you handle their Protected Health Information. If you anticipate sharing their PHI with a third party ( such as a healthcare payer), you must ask the client permission to do so. This permission must be granted in writing with the client's signature on it. Remember to keep the signature for your records.

Furthermore, along with your intake forms, openly display the notice of your privacy in your office as well.

There are different ways for you to comply with this HIPAA requirement. Many offices decide to use a highly visible area, such as the reception desk or the focal wall, to display the notice of privacy. You should consider printing out the notice of privacy practices on a booklet form and have them easily accessible on a desk, coffee table, or side table in the reception area.


Who should be mindful of HIPAA regulations?

First of all, the usual suspects in the healthcare business should be prepared when it comes to HIPAA. Meaning any individual, organization, and agencies defined as a “covered entity.” Covered Entities are required to comply with HIPAA to protect the privacy and security of health information, and this includes healthcare providers, health plans, healthcare clearinghouses.


  • Health care providers: These include doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies if they transfer information electronically regarding any transaction for which HHS has adopted a standard.
  • Health plans: Any health insurance companies, HMO’s, company health plans, and government programs such as Medicare, Medicaid, or military and veterans programs that pay for health care.
  • Health care clearinghouses:  Any public or private entities that process health information, such as billing services, repricing companies, or community health management information systems.

The Centers for Medicare and Medicaid Services have provided a chart that allows you to determine whether you are considered a covered entity.

In recent times, the Department of Health and Human Services has announced that it would require HIPAA compliance for any covered entities business associate who creates, receives, transmits, or maintains PHI. The change recognizes that it’s no longer only doctors who deal with private information. For example, attorneys, accountants, and tech companies who provide data storage can be labeled as business associates. Meaning that even the smallest of organizations may be audited for HIPAA compliance, reinforcing the requirement for high-end security all around.


Who isn't required to comply with HIPAA?

Keep in mind, there are tons of companies and people who aren’t required to comply with HIPAA and there are many times when health information may be available to these entities. HIPAA only applies to covered entities and their business associates.

Here are some examples of those who aren’t covered under HIPAA but may handle health information.

●     Life and long-term insurance companies

●     Workers' compensation insurers, administrative agencies, or employers (unless they are otherwise considered covered entities)

●     Agencies that deliver Social Security and welfare benefits

●     Automobile insurance plans that include health benefits

●     Search engines and websites that provide health or medical information and are not operated by A covered entity

●     Marketers

●     Gyms and fitness clubs

●     Direct to consumer (DTC) genetic testing companies

●     Many mobile applications (apps) used for health and fitness purposes

●     Those who conduct screenings at pharmacies, shopping centers, health fairs, or other public Places for blood pressure, cholesterol, spinal alignment, and other conditions

●     Certain alternative medicine practitioners

●     Most schools and school districts

●     Researchers who obtain health data directly from health care providers

●     Most law enforcement agencies

●     Many state agencies, like child protective services

●     Courts, where health information is material to a case


What does HIPAA compliance accomplish?

HIPAA compliance ensures any sensitive information is protected. Covered entities are entrusted with details that should never fall into the hands of uncovered entities. Even so, healthcare providers and other entities must be capable of still sharing information with the patients themselves and other authorized parties. These workflows may be vital for doing business and providing care, but they also introduce new weaknesses, which is why the regulations were developed.

HIPPA rules implement a system of checks on covered entities practices and allow patients to have control over how their personal information is used. HIPAA compliance also ensures that only properly authorized users are accessing this confidential information, thereby diminishing the chance of security breaches and subsequent, potentially malicious exploitation of personal information.


What’s at risk with HIPAA compliance?

There are many types of HIPAA compliance violations, extending to exposing unencrypted data to unintentional employee error to lax agreements with business associates to unreported security breaches. Violation of HIPAA can cost any covered entity up to $50,000 per violation.

Furthermore, violations can cause irreparable damage to your agency. If you work in healthcare, trust is one of the most important assets you can have. And with state-specific breach notifications, along with a new national standard potentially coming soon, you’re required to notify people if a breach involves the PHI of 500 people or more. You also may find yourself unflatteringly reflected on HSS wall of shame, where they publish information about entities and business associates whose management of PHI has been found deficient.

At often, these violations are possible to prevent, or at least easily resolved with the implementation of something as simple as PINs or password changes. It’s worth becoming familiarized with the HIPAA requirements and appraise your company often, especially with major changes being conducted in the future.


How to find out if your agency is complying with HIPAA

The HIPAA regulation consists of varying standards, safety measures, and implementation specification as a covered entity must meet to be utterly compliant. Because HIPAA handles many aspects of the work environment into consideration, the complete extent of HIPAA compliance is rather complex, especially when touching upon security measures.


How to ensure HIPAA compliance in the cloud

Cloud-based storage has become par for the course for many public health agencies, and it’s not very surprising how appealing this system has become with it providing the space, mobility, and ease for health care professionals in the office or on the move. As health care agencies come under increasing pressure to deliver quality care under tighter schedules, efficiency is key, and that’s where the cloud has become the most effective.

In certain ways, the cloud makes complying with HIPAA much more seamless, for instance, PHI can be easily accessed in the event of an emergency and authorized access can be clearly designated. At the same time, storing PHI in the cloud comes with a whole other set of problems, including accidental sharing of data with unauthorized users or theft of unencrypted devices.

Although, as of 2013, cloud service providers have been considered “business associates” in HIPAA parlance, meaning that any company providing cloud storage for HIPAA-compliant organization must itself be HIPAA compliant. That’s a great start in mitigating your own risk, suggesting that security for your PHI will remain secure even outside the physical confines of your agency.



As we look into the future, it’s important to monitor the electronic exchange of private health information. Make sure your public health agency is compliant with HIPAA soon, so that way, you don’t end up violating any rules and or end up with a negative reputation at hands. Your patients are trusting you with their personal information, so it’s your duty to ensure that confidential information remains safe at all times.