Health Insurance Portability and Accountability Act of 1996

Previous page
Table of content
Next page

In 1996, the U.S. Congress passed the Health Insurance Portability and Accountability Act (HIPAA). The act includes two sections. The first, Title I, provides health insurance coverage after employees have lost or changed jobs. The second section, Title II, deals with administrative actions intended to simplify and standardize health information. The IT component of Title II deals with security and handling of health information in an electronic age. When the topic of HIPAA arises, particularly among IT staff, it is the implications of this section that are most prevalent.

The IT components of the act prescribe a standard methodology for security. Further, HIPAA standardizes formats for health-related information. The standards encompass methods that ensure patient confidentiality and data integrity for any information that can be associated with an individual patient.

The most commonly identified component of the act is a body of data collectively known as protected health information (PHI). These data represents the entire spectrum of individually identifiable health-related information. Any entity that maintains and uses individually identifiable PHI is subject to the act. The effective scope of HIPAA encompasses everyone from hospitals, to insurers, to doctors (of all types), to laboratories, and to companies that operate or participate in health plans. Organizations affected by HIPAA are referred to by the act as covered entities.

HIPAA Privacy and Security Rules

Two rules were published in the Federal Register by the Department of Health and Human Services after HIPAA was passed. The HIPAA Privacy Rule was published in December 2000, and the HIPAA Security Rule was published in February 2003.

The HIPAA Privacy Rule is focused mostly on administrative controls designed to protect patient privacy, such as securing or masking medical charts, locking file cabinets, and establishing privacy policies. The HIPAA Privacy Rule was enforced beginning April 2003.

The HIPAA Security Rule is focused on technical controls such as network perimeter protection encryption and workstation security. The HIPAA Security Rule is broken out into high-level standards and implementation specifications that support each standard. Implementation specifications are either required (mandatory) or addressable (required unless justified otherwise). Table 14-1 that outlines the implementation specifications required by the HIPAA Security Rule. The implementation specifications with (R) next to them are required; those with (A) are addressable. Organizations were given until April 2005 to comply with the HIPAA Security Rule.

Table 14-1: HIPAA Security Rule Requirements

Standard

Security Rule Reference

Implementation Specification

Administrative Safeguards

Security management process

164.308(a)(1)

Risk Analysis (R)

Risk Management (R)

Sanction Policy (R)

Information System Activity Review (R)

Assigned security responsibility

164.308(a)(2)

Assigned Security Responsibility (R)

Workforce security

164.308(a)(3)

Authorization and/or Supervision (A) Workforce Clearance Procedure Termination Procedures (A)

Information access management

164.308(a)(4)

Isolating Health Care Clearinghouse

Function (R)

Access Authorization (A)

Access Establishment and Modification (A)

Security awareness and training

164.308(a)(5)

Security Reminders (A)

Protection from Malicious Software (A)

Log-in Monitoring (A)

Password Management (A)

Security incident procedures

164.308(a)(6)

Response and Reporting (R)

Contingency plan

164.308(a)(7)

Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Applications and Data Criticality Analysis (A)

Evaluation

164.308(a)(8)

Evaluation (R)

Business associate contracts and other arrangements

164.308(b)(1)

Written Contract or Other Arrangement (R)

Physical Safeguards

Facility access controls

164.310(a)(1)

Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A)

Workstation use

164.310(b)

Workstation Use (R)

Workstation security

164.310(c)

Workstation Security (R)

Device and media controls

164.310(d)(1)

Disposal (R)

Media Reuse (R)

Accountability (A)

Data Backup and Storage (A)

Technical Safeguards

Access control

164.312(a)(1)

Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A)

Audit controls

164.312(b)

Audit Controls (R)

Integrity

164.312(c)(1)

Mechanism to Authenticate Electronic Protected Health Information (A)

Person or entity authentication

164.312(d)

Person or Entity Authentication (R)

Transmission security

164.312(e)(1)

Integrity Controls (A) Encryption (A)

HIPAA's Impact on Covered Entities

For large health care organizations, compliance with HIPAA provisions has been expensive but did not necessarily represent a major shift in the way they did business. For smaller organizations or those that would not have thought themselves custodians of PHI, the implications have been far more extensive. Successful compliance requires an IT involvement and a focus on security controls associated with access, modification, movement, and handling of PHI. Controls associated with PHI from a privacy and security standpoint are complex but represent commonly used approaches. As a general rule, smaller organizations or those that historically have not maintained significant amounts of PHI have found that implementing the technical security components of HIPAA is challenging. Not surprisingly, this group of entities is the least likely to have had a preexisting and strong privacy and security focus.

Successfully complying with HIPAA provisions also requires cultural and organizational alignment with the requirements of the act. Education and compliance activities, along with associated identified compliance roles, are required. A privacy officer and, in most cases, a security officer are also required. Reporting relationships regarding visibility and accessibility to senior management often mean that key security and compliance individuals charged with HIPAA compliance have an unambiguous solid or dotted reporting line to the CEO.

Compliance with HIPAA is certainly far more than IT. Policies, procedures, and controls should precede the application of IT. Many HIPAA compliance experts caution against letting technology overshadow the underlying requirements for strong and ongoing policy development/administration. For those organizations where HIPAA compliance required the most changes, a visible and engaged senior management endorsement of the policies, procedures, and privacy/security investments has been the key to success.


Previous page
Table of content
Next page
IT Auditing. Using Controls to Protect Information Assets
It Auditing: Using Controls to Protect Information Assets [IT AUDITING -OS N/D]
ISBN: B001TI1HNG
EAN: N/A
Year: 2004
Pages: 159
BUY ON AMAZON
Interprocess Communications in Linux: The Nooks and Crannies
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
Visual C# 2005 How to Program (2nd Edition)
Lotus Notes Developers Toolbox: Tips for Rapid and Successful Deployment
Sap Bw: a Step By Step Guide for Bw 2.0
Java All-In-One Desk Reference For Dummies
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy