IT Security Compliance – HIPAA

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

DEFINITION: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) allows persons to qualify immediately for comparable health insurance coverage when they change their employment or relationships. It also creates the authority to mandate the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used within those standards; to require the use of national identification systems for health care patients, providers, payers (or plans), and employers (or sponsors); and to specify the types of measures required to protect the security and privacy of personally identifiable health care.

HIPAA Compliance

Title I of HIPAA regulates the availability and breadth of group health plans and certain individual health insurance policies. It amended the Employee Retirement Income Security Act, the Public Health Service Act, and the Internal Revenue Code.

Title II of HIPAA defines policies, procedures and guidelines for maintaining the privacy and security of individually identifiable health information as well as outlining numerous offenses relating to health care and sets civil and criminal penalties for violations. It also creates several programs to control fraud and abuse within the health care system. However, the most significant provisions of Title II are its Administrative Simplification rules.

HIPAA stands for the Health Insurance Portability and Accountability Act.  HIPAA does the following:

  • Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs;
  • Reduces health care fraud and abuse;
  • Mandates industry-wide standards for health care information on electronic billing and other processes; and
  • Requires the protection and confidential handling of protected health information

The HIPAA language uses the terms ‘required’ and ‘addressable’. Required (R) means that the given standard is mandatory and, therefore, must be complied with. Addressable (A) means that the given standards must be implemented by the organization unless assessments and in depth risk analysis conclude that implementation is not reasonable and appropriate specific to a given business setting. Important Note: Addressable does not mean optional.

HIPAA applies to “PHI” (Protected Health Information).  This is information that identifies who the health-related information belongs to  i.e. names, email addresses, phone numbers, medical record numbers, photos, drivers license numbers, etc.

There are 4 rules that you will need to dissect.

  • HIPAA Privacy Rule
  • HIPAA Security Rule
  • HIPAA Enforcement Rule
  • HIPAA Breach Notification Rule

The Privacy Rule requires Business Associates to do the following:

  • Do not allow any impermissible uses or disclosures of PHI.
  • Provide breach notification to the Covered Entity.
  • Provide either the individual or the Covered Entity access to PHI.
  • Disclose PHI to the Secretary of HHS, if compelled to do so.
    Provide an accounting of disclosures.
  • Comply with the requirements of the HIPAA Security Rule.

The Security Rule is made up of 3 parts.

  • Technical Safeguards
  • Physical Safeguards
  • Administrative Safeguards

There are 5 standards listed under the Technical Safeguards section.

  1. Access Control
  2. Audit Controls
  3. Integrity
  4. Authentication
  5. Transmission Security

There are 4 standards in the Physical Safeguards section.

  1. Facility Access Controls
  2. Workstation Use
  3. Workstation Security
  4. Device and Media Controls

There are 9 standards under the Administrative Safeguards section.

  1. Security Management Process
  2. Assigned Security Responsibility
  3. Workforce Security
  4. Information Access Management
  5. Security Awareness and Training
  6. Security Incident Procedures
  7. Contingency Plan
  8. Evaluation
  9. Business Associate Contracts and Other Arrangements

The Enforcement Rule sets civil money penalties for violating HIPAA rules and establishes procedures for investigations and hearings for HIPAA violations

According to the HHS website (www.hhs.gov), the following lists the issues that have been reported according to frequency:

  • Misuse and disclosures of PHI
  • No protection in place of health information
  • Patient unable to access their health information
  • Using or disclosing more than the minimum necessary protected health information
  • No safeguards of electronic protected health information. (www.hhs.gov/enforcement, 2013)

The most common entities found to be required to take corrective action in order to be in voluntary compliance according to HHS are listed by frequency:

  • Private Practices
  • Hospitals
  • Outpatient Facilities
  • Group plans such as insurance groups
  • Pharmacies (hhs.gov/enforcement, 2013)

 Breach Notification Rule

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC), apply to vendors of personal health records and their third party service providers, pursuant to section 13407 of the HITECH Act.

As a part of breach notification requirements business associates must notify covered entities if a breach occurs at or by the business associate

  • Individual Notice
  • Media Notice
  • Notice to Secretary

 References – Sources