The ABCs of HIPAA - a poem from our lawyer

In this industry "privacy" brings to mind regulations and policies that impose stringent requirements for building product and operating the business. So you can imagine my surprise and delight when a HIPAA update from our General Counsel took the form of an acrostic. Sarah Bimber wrote this as part of how Amino celebrated Privacy Week.

All the usual disclaimers that you should probably not get legal advice from a poem, regardless of its author, apply. So don't rely on this for your own decisions.

The ABCs of HIPAA

A is for Authorization - unless the HIPAA Privacy Rule specifically permits it, it’s illegal to use or disclose PHI without an individual’s written authorization.

B is for Business Associate - a person or entity other than a member of the entity’s Workforce that performs a function or activity involving use or disclosure of PHI on behalf of the Covered Entity. The subcontractors of a Business Associate that use or disclose PHI are also deemed Business Associates. We are typically the Business Associate of its customers and partners and has vendors that are its Business Associates.

C is for Covered Entity - an entity subject to HIPAA, i.e., a (i) a Health Plan; (ii) a Health Care Clearinghouse; or (iii) a Health care Provider that transmits any PHI in electronic form in connection with a HIPAA “covered transaction.” In our role as a health care educator with an NPI, we are a Health Care Provider Covered Entity.

D is for De-identified - PHI that have been de-identified in accordance with HIPAA is no longer considered PHI subject to HIPAA’s restriction (and if not performed in accordance with HIPAA remains PHI). The most commonly used method consists of the removal of 18 identifiers associated with the individual, employers, and household members.

E is for Employer - the role of employers under HIPAA is one of its more confusing aspects, particularly as it applies to a business like ours. Employers are not Covered Entities, and employee data is not PHI. Yet, the group health plan sponsored by an Employer is a Covered Entity, and the group health plan members’ information is PHI (simple, right?).

F is for Federal - HIPAA is a federal law, passed by Congress and applicable nationwide*.* Many states also have additional laws addressing the privacy of health information. HIPAA pre-empts those laws, unless the state law is “more stringent,” meaning the state law provides individuals more rights or is more protective of their information. Most often, state laws are more stringent with respect to specific types of health information (such as mental health records, substance abuse records, or HIV test results) or impose shorter timeframes on actions Covered Entities are required to take (such as responding to an Individual’s access request).

G is for Government - HIPAA is not perfect, but at least we have it.

H is for Health Insurance Portability Accountability Act of 1996 (HIPAA, never HIPPA) and for the Health Information Technology for Economic and Clinical Health (HITECH) Act (part of the American Recovery and Reinvestment Act of 2009) which updated aspects of HIPAA related to use of electronic records. If you’re thinking that healthcare privacy and security laws passed in 1996 and 2009 are probably out of date given the state of technology and healthcare in 2022, you would be correct.

I is for Individual Rights - the HIPAA Privacy Rule grants individuals several rights including, among others, the rights to receive a designated record set, to receive a record of certain disclosures, and to submit complaints.

J is for Jail - HIPAA violations may result in criminal as well as civil ($$$) penalties. You’ve probably heard of those hospital employees who accessed celebrity medical records and tipped off the tabloids....

K is for Contract (common abbreviation) - in addition to HIPAA’s regulatory terms themselves, the contracts between a Covered Entity and its Business Associate or a Business Associate and its Subcontractor are very important. These contracts, called Business Associate Agreements or BAAs, must include certain terms required by HIPAA, but can include additional terms further limiting how PHI may be used or shift obligations from one party to another. Disclosing PHI to an organization without a BAA in place is a HIPAA violation.

L is for Liability - a Breach involving PHI can have devastating consequences for a company. Responding to an incident requires immediate redirection of resources and can result in significant costs associated with investigation, mitigation, and notification; reputational damage and loss of business; litigation; and state-related enforcement actions. Any Breach affecting over 500 individuals will also automatically result in the federal government initiating a compliance investigation that could also result in fines and penalties.

M is for Minimum Necessary Rule - not only is this a best practice for reducing risks of data breaches, but HIPAA also imposes a requirement to reasonably limit use, requests, and disclosures of PHI to the minimum necessary PHI needed to perform authorized activities.

N is for Notice - HIPAA requires Business Associates to notify Covered Entities, and Covered Entities to notify Individuals, the government, and in some cases the media if unencrypted PHI is involved in a “Breach” (which has its own specific definition). HIPAA requires entities to assume that, unless an exception applies, an unauthorized use or disclosures of PHI is a Breach, unless a risk assessment results in a determination the risk of compromise is low.

O is for Omnibus Rule of 2013 - the last significant regulatory update to HIPAA, which, among many other things, made Business Associates directly liable for HIPAA compliance. The Trump Administration issued proposed rules that would have updated some aspects of HIPAA, but these are currently on hold.

P is for Protected Health Information (PHI)- (full definition) ****is information created or received by a Covered Entity that identifies an individual (or for which there is a reasonable basis to believe the information can be used to identify the Individual) and relates to (i) the past, present, or future physical or mental health or condition of the Individual; (ii) the provision of health care to the Individual; or (iii) past, present, or future payment for the provision of health care to the Individual. PHI includes information of deceased Individuals for 50 years after the date of death but does not include certain education records protected by the Family Educational Rights and Privacy Act (FERPA), certain student health records not protected by FERPA, employment records held by a Covered Entity in its role as an employer, or information of Individuals who have been deceased for more than 50 years.

Q is for Questions - [we suggested employees contact our Chief Privacy Officer Sarah Bimber .]

R is for Report! - time can be a crucial factor when responding to an incident involving the privacy or security of PHI. Err on the side of caution and report any suspected or potential issues to your supervisor and the Privacy/Legal and Information Security teams immediately.

S is for Safeguards - HIPAA requires Covered Entities and Business Associates to implement a host of administrative, technical, and physical safeguards to protect the confidentiality, accessibility, and integrity of all PHI in its possession or under its control.

T is for Training - annual privacy and security training for all members of our team is just one of HIPAA’s administrative safeguard requirements. By reading this, you’ve just added another “periodic update” notch to your belt.

U is for User Information - unless de-identified in accordance with HIPAA’s de-identification standard or specifically approved as otherwise, the working assumption should be all information associated with individual user accounts maintained by Amino is PHI.

V is for Vaccine Status - in case there’s any doubt, NO, it is not a HIPAA violation for a bar, restaurant, your employer, or you to ask someone’s vaccine status or for anyone to disclose their own vaccine status. HIPAA only applies to Covered Entities and Business Associates and the PHI they’ve collected in that capacity.

W is for Workforce - Our workforce includes all its employees and officers, including any interns, volunteers, or other personnel performing work under our direction and control, whether paid or unpaid. We are responsible for ensuring all workforce members comply with its HIPAA compliance program requirements.

X is for X-rays - this would be a type of PHI. Sorry, I can’t think of anything better.

Y is for You - okay, it’s corny, but our HIPAA compliance and our users’, clients’, and partners’ confidence in us depends on each person taking their obligations to protect PHI seriously.

Z is for Zzzzzz - You made it! Time for some well-deserved rest.

Want to wake up to poems from your lawyer? We're hiring for a COO, Senior Data Scientist, and more .