Page 6 - 2021 Risk Reduction Series - Communication Part Two
P. 6
SVMIC Risk Reduction Series: Communication
to protect individuals’ medical records and other personal
health information; this applies to health plans, healthcare
clearinghouses, and those healthcare providers that conduct
certain healthcare transactions electronically. Covered entities
are healthcare providers who conduct certain transactions
electronically, as defined by the rule. Most physician practices
are considered covered entities.
The Privacy Rule requires the protection of all protected
health information (PHI) that is created, received, stored, or
transmitted by covered entities. Generally, PHI is information
that can identify an individual along with the provision of
healthcare. Protected health information in an electronic format
is commonly abbreviated as ePHI. Individually identifiable health
information includes data that relates to:
• Patient demographics;
• The individual’s past, present or future physical or mental
health or condition;
• The provision of healthcare to the individual; or
• The past, present, or future payment for the provision of
healthcare to the individual; and
• Identifying the individual or for which there is a reasonable
basis to believe it can be used to identify the individual.
Whereas the HIPAA Privacy Rule deals with PHI in general,
the HIPAA Security Rule deals with electronic protected health
information, which is essentially a subset of what the HIPAA
Privacy Rule encompasses. The Security Rule only focuses
on ePHI and requires that a Security Risk Analysis (SRA)
be performed and administrative, physical, and technical
Page 6
