Tânia Rocha | May 15, 2020

How much do you know about HIPAA?

COVID-19 is impacting health around the world and making us understand the value of data. Right now, health professionals are still unsure about the right treatments because there is little knowledge around the virus. Hopefully, in a few years, we'll know which treatments were helpful or not.

Now, health professionals and scientists need to access as much detailed information as they can to help treat patients. On the other side, in some cases we can be compromising the privacy of patient information.

In Aurora, we have been learning about HIPAA compliance to help our clients know how they should apply the regulations. We develop a HIPAA widget where you can check if you’re compliant or not, and compiled the main information and questions about it.

What’s HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a law signed by President Bill Clinton in 1996 to provide data privacy and security provisions for safeguarding medical information. So, if you’re an entity that handles, transmits, possesses or is responsible for health records, you must comply with HIPAA.

The act contains five titles:

  • Title I: HIPAA Health Insurance Reform
  • Title II: HIPAA Administrative Simplification
  • Title III: HIPAA Tax-Related Health Provisions
  • Title IV: Application and Enforcement of Group Health Plan Requirements
  • Title V: Revenue Offsets.

Title II is an important one for tech companies and includes 5 elements:

  • National Provider Identifier Standard
  • Transactions and Code Sets Standard
  • HIPAA Privacy Rule
  • HIPAA Security Rule
  • HIPAA Enforcement Rule
  • HIPAA Omnibus Rule (added in 2013)


HIPAA was initially created to “improve the portability and accountability of health insurance coverage” for employees between jobs. The second goal was to combat waste, fraud and abuse in health insurance and healthcare delivery.

To the healthcare industry, HIPAA improved the efficiency and security of the protected health information, on the transition of the healthcare industry from paper to electronic records.

For patients, HIPAA ensures that healthcare organizations must protect their sensitive data. If they fail, there will be repercussions.

The rules

HIPAA Privacy Rule

Patient health information must be protected.

The Privacy Rule demands that appropriate safeguards should be implemented to protect the privacy of Personal Health Information. It also sets limits and conditions on the use and disclosure of that information without patient authorization.

The rule also gives patients (or their nominated representatives) rights over their health information, including the right to obtain a copy of their health records or examine them. Covered entities must answer patient requests within 30 days.

HIPAA Security Rule

Security Rule contains the standards that must be applied to safeguard and protect electronic personal health information when it is at rest and in transit. It’s applied to anybody or any system that has access (read, write, modify, or communicate) to confidential patient data. This rule includes administrative, physical and technical safeguards.

HIPAA Enforcement Rule

Enforcement Rule contains the procedures that should be followed in case of a potential or alleged violation of the compliance, like a breach exposing personal health information.

Compliance violations can have penalties depending on the violation level of negligence, the range can be from $100 to $50.000 per violation.

HIPAA Omnibus Rule

The Omnibus rule was added in 2013 to update existing rules, providing individuals new rights on their health information, and strengthening the government’s ability to enforce the HIPAA privacy and security protections.

Which countries are affected by HIPAA regulations?

HIPAA applies to American citizens and healthcare organizations located in America (e.g. if the citizens are outside of America, the regulations aren’t applicable).

European Union has a similar set of regulations since 2018 called GDPR (General Data Protection Regulations). Instead of HIPPA, which is an organization-centric regulation, GDPR is a consumer-centric regulation, and it also applies if the citizens are outside of the EU.

Do I need to be HIPAA compliant?

Yes, if you’re considered a Covered Entity or a Business Associate.

Covered Entities are individuals or entities that transmit protected health information for transactions, which includes:

  • Healthcare providers
    • Doctors, clinics, psychologists, dentists, nursing homes, pharmacies. Only if they transmit any information in an electronic form in connection with HIPAA transaction (i.e. sending a claim to a health plan to request payment for medical services)
  • Health plans
    • Health insurance companies
    • Health maintenance organizations (HMOs)
    • Company health plans
    • Government programs that pay for healthcare
  • Healthcare Clearinghouses
    • Includes entities that process nonstandard health information they received from health entities into a standard, or vice-versa such as billing services or health management information systems

HHS has an easy-to-use question and answer decision tool to find out if your organization or individual is a covered entity

Business associates are individuals or companies that provide services to covered entities. Some examples are:

  • Third-party administrators
  • Billing companies
  • Transcriptionists
  • Cloud service providers
  • Data storage firms


Does the HIPAA Privacy rule allow a covered entity to share the name or other identifying information of an individual who has been infected with the virus SARS-CoV-2 with law enforcement, paramedics, other first responders, and public health authorities without his authorization?

Yes, in certain circumstances such as:

  • When the disclosure is needed to provide treatment
  • When such notification is required by law
  • To notify a public health authority in order to prevent or control spread of the disease
  • When first responders may be at risk of infection
  • When the disclosure of PHI to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public
  • When responding to a request for PHI by a correctional institution or law enforcement official having lawful custody of an inmate or other individual

HHS explains all the details of each circumstance, giving examples to help you understand.

We are empowering medical providers to serve patients wherever they are during this national public health emergency. We are especially concerned about reaching those most at risk, including older persons and persons with disabilities.

Roger Severino, OCR Director.

HHS provides a list of resources that help explain this and other questions about how patient health information may be used and disclosed in response to the COVID-19 nationwide public health emergency.

Aurora’s HIPAA widget

Aurora created a widget hipaa.auroradigital.co with some of the main questions about HIPAA regulations. You’ll be able to find out if your organization is compliant, and check the details of each regulation.

Try the widget and feel free to give us feedback. We’re also available to answer your questions about HIPAA at contact@auroradigital.co.