The Health Insurance Portability and Accountability Act (HIPAA) is U.S. federal legislation that sets out rules for the protection of personal health information (PHI). It applies to covered entities and their business associates who handle PHI. HIPAA’s primary aim is to protect individuals’ medical records and other personal health information while allowing the flow of information needed to provide high-quality healthcare.
Examples of PHI
Any individually identifiable health information, such as medical records, insurance information, healthcare history, billing information, and identifiable demographic data (e.g., address, date of birth, Social Security number).
​
Covered Entity
A "covered entity" under HIPAA includes healthcare providers (hospitals, doctors, dentists), health plans (insurance companies, HMOs), and healthcare clearinghouses that transmit health information electronically. Covered entities are directly responsible for complying with HIPAA.
​
Business Associate
A "business associate" is any person or organization that performs activities involving PHI on behalf of, or provides services to, a covered entity. Business associates must comply with HIPAA through Business Associate Agreements (BAAs). An organization like myLaminin would fall into the business associate category when handling PHI for a covered entity.
Key aspects of HIPAA
Scope
Regulates the use, disclosure, and safeguarding of PHI throughout the United States. It applies to covered entities and their business associates.
Compliance
Organizations handling PHI must comply with HIPAA’s Privacy Rule, Security Rule, and Breach Notification Rule, including requirements around consent, access, security, and reporting breaches.
Purpose
To protect the privacy and security of individuals’ personal health information while ensuring that healthcare services are not unnecessarily impeded.
Assessment
Compliance can be assessed through internal audits, external audits by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), and legal proceedings, including financial penalties for noncompliance.
Who needs to comply?
-
Hospitals
-
Doctors' and dentists’ offices
-
Health insurance companies
-
Pharmacies
-
Healthcare clearinghouses
-
Business associates handling PHI on behalf of covered entities (e.g., IT service providers, billing companies, cloud services)
Why is compliance important?
-
Ensuring patient privacy
Protects sensitive medical and personal information from unauthorized access and disclosure. -
Legal obligation
Required under U.S. federal law, with potential for significant financial penalties for noncompliance. -
Maintaining trust
Demonstrates a commitment to protecting patient confidentiality and maintaining organizational reputation. -
Reducing risk
Minimizes the risk of data breaches, regulatory investigations, financial penalties, and reputational damage.
myLaminin’s compliance with HIPAA
myLaminin has performed a detailed assessment of our platform’s abilities to comply with HIPAA requirements in our role as Business Associate healthcare custodians. Based on this evaluation of our platform, myLaminin is over 80% compliant with HIPAA requirements.
Requirements tagged as NA, ‘Not Applicable’ are predominantly related to the following:
-
myLaminin is acting in the role of an Business Associate and therefore do not hold the same responsibilities as a health information custodian under the Act.
-
If some of our clients choose our On-Premises Data Storage option, they retain responsibilities for some requirements related to data storage and ensuring the physical security of that data.
-
It is the responsibility of the researchers to ensure that consent is obtained and signed when collecting personal health information using our platform. myLaminin gives researchers complete control over the consent process, methods, and templates used.