HIPAA applies to covered entities and their business associates.

Covered entities are businesses or organizations that create, receive, or transmit PHI, such as health insurance companies that have your claims information, doctors that have your prescription records, and healthcare clearinghouses that help doctors get reimbursements from your insurance.

Business associates are people or entities that perform certain functions or activities that involve PHI on behalf of a covered entity, such as SaaS companies, data storage providers, and medical device manufacturers.

Many aspects of healthcare services and data processing has shifted online, in the form of a talk therapy app or patient signature SaaS. You might wonder whether the project you’re working on falls under the jurisdiction of HIPAA, and even if it doesn’t, what other regulations you might be unaware of.

In general, if you’re collecting, processing, storing, or sharing sensitive PHI, HIPAA likely applies to you. However, if HIPAA doesn’t apply and you are unsure, check out this guidance issued by the Federal Trade Commission (FTC).

In 2021, The FTC noted the Health Breach Notification Rule, which requires notification in case of a breach to even apps that are not covered under HIPAA. Many Healthtech apps fall under this Breach Notification Rule. Violations can be as high as $43,000 per violation per day.

Any health information that contains individual identifier that is used, maintained, stored, or transmitted by a covered entity or its business associate is considered PHI regardless of its origin. The 18 identifiers that make health information PHI are:

• Name
• Address (all geographic subdivisions smaller than state, including street address, city county, and zip code)
• All elements (except years) of dates related to an individual (including birth date, admission date, discharge date, date of death, and exact age if over 89)
• Telephone numbers
• Fax number
• Email address
• Social Security Number
• Medical record number
• Health plan beneficiary number
• Account number
• Certificate or license number
• Vehicle identifiers and serial numbers, including license plate numbers
• Device identifiers and serial numbers
• Web URL
• Internet Protocol (IP) Address
• Biometric identifiers (such as fingerprints, or retinal scan)
• Photographic image - Photographic images are not limited to images of the face.
• Any other characteristic that could uniquely identify the individual

It’s not only past and current health information that is covered under HIPAA. HIPAA also includes future information about medical conditions or physical and mental health that’s related to the provision of care or payment for care.

The only exception to HIPAA is when the health data collected is not on the behalf of a covered entity, such as heart rate data recorded by fitness trackers (see earlier section Does HIPAA Apply to My Health Tech App? for more details).

With Skyflow Data Privacy Vault as part of your architecture, you can better protect your patients’ PHI by preventing sensitive data from sprawling across your systems. When PHI is centralized, management and compliance become straightforward. Centrally enforce policies so only the right people and workflows can access sensitive data.

To learn how Skyflow helps companies like IBM protect billions of rows of clinical trial data, schedule a call with us.

HIPAA violations can range from civil penalties starting at $100 per violation to penalties for willful negligence that carry fines starting at $250,000, with the possibility of jail time. These fines might be accompanied by expensive and time-consuming corrective action plans, not to mention a reputation-damaging inclusion on the “HIPAA Wall of Shame.”

Some states and federal agencies have either banned or provided very strict guidelines for any Medicaid data to be stored or processed overseas. You can use Skyflow’s data residency features to keep PHI in the country it was collected to minimize risk, removing a potential layer of complexity.

There is no specific language in HIPAA that restricts the data residency of PHI and would forbid it from being stored or processed. You can use Skyflow’s data residency features to keep PHI in the country it was collected to minimize risk, removing a potential layer of complexity.

HIPAA is specifically applicable to PHI. But chances are if you’re handling PHI you’re likely handling personal identifiable information (PII) that falls within the scope of one of the consumer privacy laws in the US: California’s CCPA and its amendment, CPRA, Virginia’s VCDPA, Colorado’s ColoPA, and Utah’s UCPA.

Privacy regulation can feel like a lot to handle, even when these laws apply only to people who live in specific states. But fear not. If you take a privacy by design approach to handle all personal information, you can easily comply with existing and new privacy regulations from anywhere in the United States and beyond.

If your business is already aligned with HIPAA, maintaining compliance with other state privacy laws shouldn’t be too much hassle. Learn more about how Skyflow can help organizations of all sizes simplify and accelerate CCPA compliance.