What is HIPAA?

If you’ve seen the news lately, you’ve likely at least heard of HIPAA. Recent ransomware surges in the healthcare sector have brought HIPAA into the mainstream.

HIPAA refers to The Health Insurance Portability and Accountability Act of 1996 (HIPAA). This is a federal law that outlines how agencies involved in healthcare, such as hospitals and medical clinics, handle Protected Health Information (PHI). HIPAA was passed to reduce healthcare fraud and abuse, and mandate industry-wide standards regarding PHI.

Who does HIPAA apply to?

HIPAA doesn’t only apply to medical clinics. HIPAA applies to anyone who works in the healthcare industry, as well as their business associates. That means if you work with a covered entity (a business or organization who is covered under HIPAA), you may also be a covered entity. This can include software vendors, medical device companies, and even your IT provider.

How Long Does HIPAA last?

The PHI of an individual is protected by HIPAA for 50 years after the date of their death. Upon death, the legal representative of the individual’s estate has the ability to authorize access and disclosure of PHI. In general, the Privacy Rule protects a decedent’s health information to the same extent as it protects the health information of a living individual, with a few exceptions. These exceptions allow the disclosure of a decedent’s health information to alert law enforcement about the decedent’s death; to coroners, medical examiners, and funeral directors; for research pertaining to the PHI of decedents, and to organ procurement organizations. After 50 years, the individual’s identifiable health information (such as medical records, photos, and physicians’ journals) is no longer protected by the HIPAA Privacy Rule and can be used with impunity.

Source: https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/health-information-of-deceased-individuals/index.html