COMPANY

SOLUTIONS

LIBRARY

Whitepapers

Security Regulations

Analyst Reports

Recommended Books

Glossary of Security Terms

TOOLS

INDUSTRY

PARTNERS

CONTACT US

LIBRARY

The Healthcare Portability &
Accountability Act

HIPAA was passed into law in August 1996 in an effort to provide better access to health insurance, to diminish fraud and abuse, and to lower the overall cost of health care in the United States. The Health Insurance Portability and Accountability Act has four main parts:

1. Electronic Health Transactions Standards
2. Unique Identifiers for Providers, Employers, Health Plans and Patients
3. Security and Electronic Signature Standards
4. Privacy and Confidentiality Standards

Although HIPAA contains four parts, parts three and four are more relevant to information security and will be further discussed below.

Security and Electronic Signature Standards

Compliance deadlines:

• April 21, 2005 (covered providers, claims clearinghouses and most payers)
• April 21, 2006 (small payers with annual receipts below $5 million)

The security regulations define the technical, physical and administrative safeguards required to protect all electronic health information. This standard is separated into two parts: administrative procedures and technical procedures.

Organizational Policies, Practices and Procedures

To become compliant you can create a set of policies that detail what your office will do to protect electronic data. Administratively, the policies should be designed to prevent, detect, contain, and correct security violations. The standard does contain four required implementation specifications: risk analysis, risk management, sanction policy, and information system activity review.

Technical Policies, Practices and Procedures

On the technical side, there are four sets of actions that must be implemented to control and monitor the access to information.

• All systems must allow for unique user identification and include an emergency access procedure for obtaining electronic data during an emergency.
• Two forms of transmission security must be in place, including (a) integrity controls that ensure that electronically-transmitted health information is not improperly modified without detection; and (b) data encryption, particularly over the Internet.
• There needs to be some method in place to provide for audit controls.
• Procedures should be established to protect patient health information from being altered or destroyed, and must include a mechanism to prove that the data has not been tainted.

Responsibilities and objectives for monitoring of the information security program and for auditing for compliance with the information security policies, standards, and procedures should be specified in a policy document.

The following are recommended steps for policy development:

• Establish a formal, fully funded project to develop the policies.
• Assign responsibility for the project and appoint an information security manager.
• Use the topics in this summary as the basis for writing policy statements.
• Submit the proposed policies to legal counsel for review.
• Submit the draft policies to management and owners of the health care provider, practitioner or group practice for review.

Privacy and Confidentiality Standards

Compliance deadlines:

• April 14, 2003 (all covered entities except small health plans)
• April 14, 2004 (small health plans)

The privacy provisions establish a national standard for the collection, use and disclosure of individually identifiable health information. This rule defines a patient's control of their medical records; places restrictions on the uses and disclosures of patient information; establishes sanctions for violations of patient confidentiality; and requires an administrative infrastructure to implement and manage these standards.

For more specific details on HIPAA Regulations visit a href="http://www.hipaadvisory.com/regs/" class="text" target="_blank">http://www.hipaadvisory.com/regs/

Health Insurance Portability and Accountability Act (HIPAA)

Download the HIPPA compliance guidelines PDF file to read about some of the laws and penalties of failing to comply with the HIPAA requirements.

The Health Insurance Portability and Accountability Act, or the abbreviation 'HIPAA' by which it is more commonly referred to, contains a section dealing with Administrative Simplification. The Administrative Simplification section deals with standardization of electronic patient data and securing the data to ensure patient privacy and confidentiality.

The HIPAA Administrative Simplification section has four parts:

1. Electronic Health Transactions Standards
   Details: Proposed Rules I & II
   Rule Published: August 17, 2000
   Compliance: October 16, 2002
2. Unique Identifiers for Providers, Employers, Health Plans and Patients
   Details: Proposed Rules I & II
   Rule Published: August 17, 2000
   Compliance: October 16, 2002
3. Security And Electronic Signature Standards
   Details: Proposed Rule
   Rule Published: Expected October-December, 2002
   Compliance: Expected to be 24 months from effective final rule date
4. Privacy And Confidentiality Standards
   Details: Proposed Rule
   Amended Final Rule
   Rule Published: December 28, 2000
   Amendment: August 14, 2002
   Compliance: April 14, 2003

Parts III & IV are relevant to information security and will be covered in more detail below.

Security & Electronic Signature Standards

This rule proposes a standard for security of health information. The rule will establish that health plans, health care clearinghouses, and health care providers must have the security standard in place to comply with the statutory requirement that health care information and individually identifiable health care information be protected to ensure privacy and confidentiality when health information is electronically stored, maintained, or transmitted.

The Congress mandated a separate standard for electronic signature, therefore, this proposed security standard also addresses the selected standard for electronic signature. The proposed security standard does not require the use of an electronic signature, but specifies the standard for an electronic signature that must be followed if such a signature is used. If an entity elects to use an electronic signature, it must comply with the electronic signature standard.

Security of health information is especially important when health information can be directly linked to an individual. Confidentiality is threatened not only by the risk of improper access to electronically stored information, but also by the risk of interception during electronic transmission of the information.

ANSI's Healthcare Informatics Standards Board (HISB) noted in their report to the Office of the Secretary of the Department of Health and Human Services:

"Comprehensive adoption of security standards in health care, not piecemeal implementation, is advocated to provide security to data that is exchanged between health care entities. By definition, if a system or communications between two systems, were implemented with technology(s) meeting standards in a general system security framework (Identification and Authentication; Authorization and Access Control; Accountability; Integrity and Availability; Security of Communication; and Security Administration.) that system would be essentially secure."

The proposed standard requires that each health care entity engaged in electronic maintenance or transmission of health information assess potential risks and vulnerabilities to the individual health data in its possession in electronic form, and develop, implement, and maintain appropriate security measures. Most importantly, these measures must be documented and kept current. The proposed security standard consists of the requirements that a health care entity must address in order to safeguard the integrity, confidentiality, and availability of its electronic data. It also describes the implementation features that must be present in order to satisfy each requirement.

The proposed security requirements have been divided into the following four categories:

• Administrative procedures to guard data integrity, confidentiality, and availability-these are documented, formal practices to manage the selection and execution of security measures to protect data and the conduct of personnel in relation to the protection of data. Click here for the Requirements/Implementation Matrix.
• Physical safeguards to guard data integrity, confidentiality, and availability-these relate to the protection of physical computer systems and related buildings and equipment from fire and other natural and environmental hazards, as well as from intrusion. Physical safeguards also cover the use of locks, keys, and administrative measures used to control access to computer systems and facilities.Click here for the Requirements/Implementation Matrix.
• Technical security services to guard data integrity, confidentiality, and availability-these include the processes that are put in place to protect and to control and monitor information access. Click here for the Requirements/Implementation Matrix.
• Technical security mechanisms- these include the processes that are put in place to prevent unauthorized access to data that is transmitted over a communications network. Click here for the Requirements/Implementation Matrix.

IV. PRIVACY AND CONFIDENTIALITY

Individuals who provide information to health care providers and health plans increasingly are concerned about how their information is used within the health care system. Patients want to know that their sensitive information will be protected not only during the course of their treatment but also in the future as that information is maintained and/or transmitted within and outside of the health care system.

Efforts to provide legal protection against the inappropriate use of individually identifiable health information were undertaken primarily by the States. States adopted a number of laws designed to protect patients against the inappropriate use of health information. HIPAA only creates a floor for these regulations it does not supercede them. For a summary of regulations by state see the Health Privacy Network's 1999 report "The State of Health Privacy: An Uneven Terrain (A Comprehensive Survey of State Health Privacy Statutes)"

HIPAA Privacy regulations address the following:

• Allow for the smooth flow of identifiable health information for treatment, payment, and related operations, and for specified additional purposes related to health care that are in the public interest.
• Prohibit the flow of identifiable information for any additional purposes, unless specifically and voluntarily authorized by the subject of the information.
• Put in place a set of fair information practices that allow individuals to know who is using their health information, and how it is being used.
• Establish fair information practices that allow individuals to obtain access to their records and request amendment of inaccurate information.
• Require persons who hold identifiable health information to safeguard that information from inappropriate use or disclosure.
• Hold those who use individually identifiable health information accountable for their handling of this information, and to provide legal recourse to persons harmed by misuse.

All healthcare organizations are affected by HIPAA. This includes public health authorities, health plans, life insurers, health care clearinghouses, service organizations, all - even single physician offices - health care providers, employers, schools and universities. Penalties for noncompliance are severe and include:

• fines up to $25K for multiple violations of the same standard in a calendar year
• fines up to $250K and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information

Additional Information

Further HIPAA related information can be found in the independent analyst reports and white papers listed below:

Independent analyst reports

• Health Care: Outsourced HIPAA Solutions Offer a Smart Investment
  Published May 25, 2002 by The Yankee Group
• Privacy, Security and Access to Information: Conference Highlights and Market Snapshot
  Published May 01, 2002 by IDC
• Search Research Library

White Papers

• HIPAA Compliance - How NetScreen Meets the Security Requirements of the Health Care Industry
• OKENA - Helping Achieve the Goals of HIPAA
• HIPAA Readiness - Using NetIQ Security and Administration Products to Ensure HIPAA Compliance
• HIPAA Security Matrix - NetIQ
• Tripwire Software Protects Data And Network Integrity, Helps Healthcare Systems Meet HIPAA Privacy And Security Standards
• Internet Security Systems approach for HIPAA compliance

Matricies

Click here for the Requirements/Implementation Matrix.

Click here for the Security Matrix.

HIPAA Compliance Guidelines PDF

HIPAA Proposed Rules I & II PDF

HIPAA Proposed Rule III PDF

HIPAA Proposed Rule IV PDF

HIPAA Amended Final Rule IV PDF

Towerwall Home / Security Architecture / Security Assessment / Threat Management / Email Security / Access Management
+1 888.234.7404 / Contact Us / Legal / Site Map / ©2008 by Towewall, Inc.