hipaa-compliance
HIPAA Compliance Coding Guidelines
1. Overview
HIPAA (Health Insurance Portability and Accountability Act) applies to Covered Entities (healthcare providers, health plans, healthcare clearinghouses) and Business Associates (any entity that creates, receives, maintains, or transmits PHI on behalf of a Covered Entity). Three rules: the Privacy Rule (who can access PHI), the Security Rule (technical/admin/physical safeguards for ePHI), and the Breach Notification Rule (requirements when unsecured PHI is compromised). Penalties: $137-$68,928 per violation, annual caps of $2,067,813 per violation category, criminal penalties up to $250,000 and 10 years imprisonment.
2. What is PHI (Protected Health Information)?
PHI is individually identifiable health information relating to health condition, healthcare provision, or payment that identifies or could identify the individual. ePHI = PHI in electronic form (databases, APIs, files, logs, backups) — the developer's primary concern.
Critical distinction: Health data alone is NOT PHI. A blood pressure of 140/90 is not PHI. A blood pressure of 140/90 linked to patient John Smith, DOB 1985-03-15, IS PHI. PHI exists only when health data is linked to identifiers.