In 1996, the U.S. Congress passed the Health Insurance Portability and Accountability Act (HIPAA). The act includes two sections. The first, Title I, provides health insurance coverage after employees have lost or changed jobs. The second section, Title II, deals with administrative actions intended to simplify and standardize health information. The IT component of Title II deals with security and handling of health information in an electronic age. When the topic of HIPAA arises, particularly among IT staff, it is the implications of this section that are most prevalent.
The IT components of the act prescribe a standard methodology for security. Further, HIPAA standardizes formats for health-related information. The standards encompass methods that ensure patient confidentiality and data integrity for any information that can be associated with an individual patient.
The most commonly identified component of the act is a body of data collectively known as protected health information (PHI). These data represents the entire spectrum of individually identifiable health-related information. Any entity that maintains and uses individually identifiable PHI is subject to the act. The effective scope of HIPAA encompasses everyone from hospitals, to insurers, to doctors (of all types), to laboratories, and to companies that operate or participate in health plans. Organizations affected by HIPAA are referred to by the act as covered entities.
Two rules were published in the Federal Register by the Department of Health and Human Services after HIPAA was passed. The HIPAA Privacy Rule was published in December 2000, and the HIPAA Security Rule was published in February 2003.
The HIPAA Privacy Rule is focused mostly on administrative controls designed to protect patient privacy, such as securing or masking medical charts, locking file cabinets, and establishing privacy policies. The HIPAA Privacy Rule was enforced beginning April 2003.
The HIPAA Security Rule is focused on technical controls such as network perimeter protection encryption and workstation security. The HIPAA Security Rule is broken out into high-level standards and implementation specifications that support each standard. Implementation specifications are either required (mandatory) or addressable (required unless justified otherwise). Table 14-1 that outlines the implementation specifications required by the HIPAA Security Rule. The implementation specifications with (R) next to them are required; those with (A) are addressable. Organizations were given until April 2005 to comply with the HIPAA Security Rule.
Standard | Security Rule Reference | Implementation Specification |
---|---|---|
Administrative Safeguards | ||
Security management process | 164.308(a)(1) | Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) |
Assigned security responsibility | 164.308(a)(2) | Assigned Security Responsibility (R) |
Workforce security | 164.308(a)(3) | Authorization and/or Supervision (A) Workforce Clearance Procedure Termination Procedures (A) |
Information access management | 164.308(a)(4) | Isolating Health Care Clearinghouse Function (R) Access Authorization (A) Access Establishment and Modification (A) |
Security awareness and training | 164.308(a)(5) | Security Reminders (A) Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A) |
Security incident procedures | 164.308(a)(6) | Response and Reporting (R) |
Contingency plan | 164.308(a)(7) | Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Applications and Data Criticality Analysis (A) |
Evaluation | 164.308(a)(8) | Evaluation (R) |
Business associate contracts and other arrangements | 164.308(b)(1) | Written Contract or Other Arrangement (R) |
Physical Safeguards | ||
Facility access controls | 164.310(a)(1) | Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A) |
Workstation use | 164.310(b) | Workstation Use (R) |
Workstation security | 164.310(c) | Workstation Security (R) |
Device and media controls | 164.310(d)(1) | Disposal (R) Media Reuse (R) Accountability (A) Data Backup and Storage (A) |
Technical Safeguards | ||
Access control | 164.312(a)(1) | Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A) |
Audit controls | 164.312(b) | Audit Controls (R) |
Integrity | 164.312(c)(1) | Mechanism to Authenticate Electronic Protected Health Information (A) |
Person or entity authentication | 164.312(d) | Person or Entity Authentication (R) |
Transmission security | 164.312(e)(1) | Integrity Controls (A) Encryption (A) |
For large health care organizations, compliance with HIPAA provisions has been expensive but did not necessarily represent a major shift in the way they did business. For smaller organizations or those that would not have thought themselves custodians of PHI, the implications have been far more extensive. Successful compliance requires an IT involvement and a focus on security controls associated with access, modification, movement, and handling of PHI. Controls associated with PHI from a privacy and security standpoint are complex but represent commonly used approaches. As a general rule, smaller organizations or those that historically have not maintained significant amounts of PHI have found that implementing the technical security components of HIPAA is challenging. Not surprisingly, this group of entities is the least likely to have had a preexisting and strong privacy and security focus.
Successfully complying with HIPAA provisions also requires cultural and organizational alignment with the requirements of the act. Education and compliance activities, along with associated identified compliance roles, are required. A privacy officer and, in most cases, a security officer are also required. Reporting relationships regarding visibility and accessibility to senior management often mean that key security and compliance individuals charged with HIPAA compliance have an unambiguous solid or dotted reporting line to the CEO.
Compliance with HIPAA is certainly far more than IT. Policies, procedures, and controls should precede the application of IT. Many HIPAA compliance experts caution against letting technology overshadow the underlying requirements for strong and ongoing policy development/administration. For those organizations where HIPAA compliance required the most changes, a visible and engaged senior management endorsement of the policies, procedures, and privacy/security investments has been the key to success.