Medcom Blog

HIPAA Muddy Waters

HIPAA Privacy and Security: Clearing the Muddy Waters

Let’s think back. Think REALLY far back…all the way back to January 3, 2019. In January we shared a blog “All About HIPAA Privacy & Security,” which detailed exactly what HIPAA stands for and how Medcom can help companies become HIPAA compliant.  Yes, we know that was nearly two full months ago and you’ve been busy, not to mention we write such incredible content on the MedcomBlog we’re sure it's hard to keep up! So for the sake of your memory and our typing hands, here is a link to that blog so you can brush up on the basics of HIPAA: Click Here!

Now that we have reestablished HIPAA stands for the Health Insurance Portability and Accountability Act, and it “reduces health care fraud and abuse, mandates industry-wide standards for health care information on electronic billing and other processes, and requires the protection and confidential handling of protected health information,” we can successfully move on to the next chapter: Clearing the Muddy Waters.

HIPAA went into full effect on April 14, 2003.  After nearly 16 years it seems we would have a clear understanding of our roles and responsibilities in ensuring the safety and confidentiality of protected health information.  Yet, the truth is there are a lot of regulations associated with the law, which makes it difficult to understand.  In order to make it easier, we are going to break down a few key aspects of HIPAA: Important terms; the three rules under HIPAA; and who must comply.


PHI: Protected health information is medical information that can be used to identify an individual, including any and all demographic information, name, Social Security number, telephone number, and medical record number found in any form, including electronic, paper-based, or verbal communication.

ePHI: Electronic personal health information

Covered Entities: Health care providers, health plans, or clearinghouses that electronically transmit medical information such as billing, claims, enrollment, or eligibility verification are considered covered entities.  Also included in this classification are medical practices, employers, rehab centers, nursing homes, public health authorities, billing agencies, and some vendors, service organizations, and universities.

Business Associates: Covered entities, such as a self-funded health plan, may utilize contractors to perform duties that access PHI.  These contractors are referred to as “Business Associates.”

Privacy: HIPAA regulations protect an individual’s right to the privacy of his or her medical information and keep it from falling into the hands of those who may use it for commercial or personal gain, or to cause harm.

Security: This refers to a covered entity’s specific efforts to protect the integrity of the health information it holds and to prevent breaches of privacy if that data were lost, stolen, sent in error, or destroyed by accident.


  1. HIPAA Privacy Rule: a set of federal standards protecting the privacy of health information maintained by covered entities. The privacy rule provides patients with the right to access their records.
  2. HIPAA Security Rule: establishes national standards for security of electronic protected health information. The security rule specifies a series of safeguards that assures availability, integrity, and confidentiality of the ePHI.
  3. HIPAA Breach Notification Rule: requires covered entities and business associates to notify the individual first, then in some cases the Secretary of the Department of Health and Human Services, and the media, regarding unsecured protected health information.


Last but not least, we must define who must follow the rules and guidelines set by HIPAA.  First, health care providers, such as your primary physician, hospitals, dentist, nursing homes, etc, are required to follow all laws under the Act. The second group who must abide by the rule is health plans, including government programs like Medicare and Medicaid and self-funded employee health plans. The third is clearinghouses.  Clearinghouses process non-standard health information into electronic format but are not as common now that most businesses handle these tasks in-house.


HIPAA violations can occur even without the use of computers or electronically transmitted documents.  In 2017, Aetna mailed out letters in response to a settlement over previous privacy concerns. The clear plastic window on the mailing envelopes revealed the PHI of over 12,000 individuals.  As a result, Aetna was ordered to pay $1.5 million by the State of New York and $17 million in a private settlement.  North Memorial Health Care of Minnesota failed to implement a business associate agreement with a major contractor, they also failed to conduct a risk analysis to address vulnerabilities of ePHI; as a result, they agreed to pay a settlement of $1.5 million.  However, the use of computers, laptops, and storage devices must also be closely guarded.  The University of Mississippi paid out $2.75 million when a laptop, not properly protected, was stolen from their ICU and resulted in disclosure of patient records.

We know this is scary and confusing, and we understand how difficult it is to know where to start, but Medcom can help! Our newest division offers a HIPAA Privacy and Security Total Solution that can walk your company step-by-step through the process of becoming 100% HIPAA compliant.

We have given you so much information to digest, but if you retain ONE THING from this blog let it be this:
contact Medcom Benefit Solutions in order to be #1 in HIPAA compliance!