What is the Health Insurance Portability and Accountability Act (HIPAA)

Security and compliance. These two words probably can’t be stressed enough when it comes to your company’s records and sensitive data. As a business with thousands of paper and electronic records, you probably think about these every day.



  • Are our records secure?
  • How do they comply with pertinent regulations?
  • Which regulations do they even need to comply with?

These questions are common, and easily answerable.

The records management industry helps many different businesses throughout many different industries comply with many different regulations. Specifically, for businesses in the medical world, perhaps the most well-known of these regulations is the Health Insurance Portability and Accountability Act (HIPAA) of 1996, governed by the United States Department of Health and Human Services (HHS).

If you’re storing records on your own, it might be a hassle to keep up with. On the other hand, if you’re using some records storage facilities, you might not know for certain whether your records are actually compliant and secure. Either way, complying with HIPAA might be easier than you think, as it just requires a little bit of key knowledge—knowledge that certain records management providers have plenty of. If you know what HIPAA encompasses, you will inevitably have more confidence.

HIPAA and Protected Health Information (PHI)

The first thing to know about HIPAA is that it was created to secure Protected Health Information (PHI). What exactly is PHI, though? PHI is defined by HHS as individually identifiable health information held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral.

Okay, but what constitutes a business associate? HHS defines this as a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involves the use or disclosure of PHI.

What are these services? HHS defines them as functions or activities on behalf of a covered entity that include claims processing, data analysis, utilization review and billing.

So records management companies aren’t business associates, right? Wrong.

Recently, in 2013, the definition of what a business associate actually is was amended to include subcontractors that create, receive, maintain or transmits PHI.



Given these definitions, it’s time to understand the multiple rules that HIPAA establishes. The first of these is the Standards for Privacy of Individually Identifiable Health Information, or the Privacy Rule. This HIPAA rule establishes national standards for the protection of PHI by health plans, health care clearinghouses and health care providers. The major goal of the Privacy Rule, according to HHS, is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well-being.

The next HIPAA rule is the Security Standards for the Protection of Electronic Protected Health Information, or Security Rule. Within this rule are national standards that protect electronic PHI (e-PHI). According to HHS, the goal of this Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.

The next two HIPAA rules relate to scenarios in which data breaches occur. The first is the Enforcement Rule, which creates provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules and procedures for hearings. The second is the Breach Notification Rule, which requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. HHS defines a breach in this sense as an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of PHI.

HIPAA Omnibus Rule

The final HIPAA rule was created in 2013 and is called the Omnibus Rule. This rule implements provisions from the Health Information Technology for Economic and Clinical Health (HITECH) Act by strengthening and integrating HITECH Breach Notification requirements to clarify when breaches of unsecured PHI must be reported to HHS. In addition, the Omnibus Rule ensures clarity and accountability around the Privacy, Security and Enforcement Rules. The rule also focuses on individual patients, as it requires a response to a patient’s written request for copies of PHI within 30 days.

HIPAA and Records Management Providers

The question of how this all relates to a records management provider might be a bit ambiguous. In simple terms, HIPAA was enacted solely to protect patient PHI. When PHI is transferred to a records management facility for storage or imaging, the HIPAA rules must continue to be followed. This not only ensures legal compliance, but also protection of patient PHI and protection of the covered entity’s reputation. A records storage facility helps businesses to comply with HIPAA by providing them with:

  • PHI organization
  • A secure storage facility
  • Compliance with other regulations that already comply with HIPAA

HIPAA at Rover Records Management

If you entrust your records and PHI with a records management provider, it is well worth your time to ensure that the company is reliable. Ensuring that your information is in good hands will ultimately keep your patients’ PHI secure and keep you safe from HIPAA violations and lawsuits.

At Rover Records Management, our services are all HIPAA compliant and well-guarded against data breaches. Some of the ways in which we achieve this are by:

  • Random urinalysis of employees
  • Mandatory HIPAA training for employees
  • Criminal background checks
  • GPS tracking on all vehicles transferring records and PHI
  • Annual audits of our processes and procedures