Health Insurance Portability and Accountability Act

U.S. Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996. The primary purpose of the statute is twofold. First, it helps citizens maintain their health insurance coverage. Second, it improves the efficiency and effectiveness of the American health care system. It does so by combating waste, fraud, and abuse in both health insurance and the delivery of healthcare. The U.S. Department of Health and Human Services (HHS) is responsible for publishing requirements and for enforcing HIPAA laws. However, the Office of Civil Rights, a subagency of HHS, administers and enforces the Privacy Rule and Security Rule of HIPAA. These laws are divided across five titles, which include the following:

• Title I, Health Care Access, Portability, and Renewability

• Title II, Preventing Health Care Fraud and Abuse, Administrative Simplification; Medical Liability Reform

• Title III, Tax-Related Health Provisions

• Title IV, Application and Enforcement of Group Health Plan Requirements

• Title V, Revenue Offsets

Given the sensitive nature of one’s personal health records, this regulation is usually taken very seriously and affects the following:

• Health care providers—Doctors, hospitals, clinics, and so on

• Heath plans—Those that pay the cost for the medical care such as insurance companies

• Health care clearinghouse—Those that process and facilitate billing

The last major update to the HIPAA rules was the HIPAA Omnibus Rule changes in 2013. While the fundamental requirements (referred to as Safeguards) in the act did not change, a number of details within each of the title’s requirements under fine tuning:

• Performing a gap analysis to determine what policies and procedures must be revisited in light of the Omnibus Rules

• Revising privacy and security policies and procedures

• Revising breach notification policies, procedure

• Amending notices of privacy practices based on the new rules

• Enhancing training of the workforce and promoting more ongoing awareness

• Ensuring end-user training on proper handling of data is performed prior to granting access

• Updating risk analysis to reflect vulnerabilities such as mobile devices

Much of the focus around HIPAA is within the first two titles. Title I offers protection of health insurance coverage without regard to preexisting conditions to those, for example, who lose or change their jobs. Title II provides requirements for the privacy and security of health information. This is often referred to as administrative simplification. The broader law calls for the following:

• Standardization of electronic data—patient, administrative, and financial—as well as the use of unique health identifiers

• Security standards and controls to protect the confidentiality and integrity of individually identifiable health information

As a result, the HHS has provided five rules regarding Title II of HIPAA. These rules include the Privacy Rule, the Transactions and Code Sets Rule, the Security Rule, the Unique Identifiers Rule, and the Enforcement Rule. These five rules affect information technology operations within organizations. Specifically, the Privacy Rule and Security Rule affect information security. HIPAA is primarily concerned with protected health information (PHI). PHI is individually identifiable health information. PHI relates to the physical or mental health of an individual. It can also relate to the delivery of health care to an individual as well as payment for the delivery of health care.

The Privacy Rule went into effect in 2003. It regulates the use and disclosure of PHI by covered entities. Covered entities, for example, include health care providers, health plans, and health care clearinghouses. In many ways, the Privacy Rule drives the Security Rule. Under the law, covered entities are obligated to do the following:

• Provide information to patients about their privacy rights and how the information can be used.

• Adopt clear privacy procedures.

• Train employees on privacy procedures.

• Designate someone to be responsible for overseeing that privacy procedures are adopted and followed.

The Security Rule followed the Privacy Rule. Unlike the Privacy Rule, however, the Security Rule applies just to electronic PHI (ePHI). The Security Rule provides for the confidentiality, integrity, and availability of ePHI, and contains three broad safeguards:

• Administrative safeguards

• Technical safeguards

• Physical safeguards

Each of the preceding safeguards consists of various standards. All are required or addressable. Required rules must be implemented, but addressable standards provide flexibility. This way, an organization can decide how to reasonably and appropriately meet the standard. Bear in mind, however, that addressable does not mean optional.

Administrative safeguards primarily consist of policies and procedures. They govern the security measures used to protect ePHI. Table 2-1 provides a summary of the administrative safeguards, including the required and addressable standards.

TABLE 2-1 HIPAA administrative safeguards and implementation specifications.

Physical safeguards include the policies, procedures, and physical controls put in place. These controls and documentation protect the information systems and physical structures from unauthorized access. The same goes for natural disasters and other environmental hazards. The physical safeguards include the four standards shown in Table 2-2, along with the implementation specifications.

TABLE 2-2 HIPAA physical safeguards and implementation specifications.

Technical safeguards consist of the policies, procedures, and controls put in place. These safeguards protect ePHI and prevent unauthorized access. Table 2-3 lists the five safeguards and corresponding implementation specifications.

TABLE 2-3 HIPAA technical safeguards and implementation specifications.

Although covered entities must comply with the previously listed safeguards and implementation specifications, there isn’t a safeguard listed that should surprise organizations. In fact, most of these safeguards are addressed through best practices for any sensitive information.