|
What is it?
The Health Insurance Portability and Accountability Act (HIPAA)
was enacted by the U.S. Congress in 1996. According to the Centers
for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects
health insurance coverage for workers and their families when they change or
lose their jobs. Title II of HIPAA, the Administrative Simplification (AS)
provisions, requires the establishment of national standards for electronic
health care transactions and national identifiers for providers, health
insurance plans, and employers. The AS provisions also address the security and
privacy of health data. The standards are meant to improve the efficiency and
effectiveness of the nation's health care system by encouraging the widespread
use of electronic data interchange in the US health care system.
Final Security Rule
The Final Rule on Security Standards was issued on February
20, 2003. It
took effect on April
21, 2003 with a
compliance date of April
21, 2005 for
most covered entities and April
21, 2006 for
“small plans.” The Security Rule complements the Privacy Rule. While the
Privacy Rule pertains to all Protected Heath Information (PHI) including paper
and electronic, the Security Rule deals specifically with Electronic Protected
Health Information (EPHI). It lays out three types of security safeguards
required for compliance: administrative, physical, and technical. For each of
these types, the Rule identifies various security standards, and for each
standard, it names both required and addressable implementation specifications.
Required specifications must be adopted and administered as dictated by the
Rule. Addressable specifications are more flexible. Individually covered
entities can evaluate their own situation and determine the best way to
implement addressable specifications. The standards and specifications are as
follows:
- Administrative Safeguards - policies
and procedures designed to clearly show how the entity will comply with the
act
- Physical Safeguards - controlling
physical access to protect against inappropriate access to protected data
- Technical Safeguards - controlling
access to computer systems and enabling covered entities to protect
communications containing PHI transmitted electronically over open networks
from being intercepted by anyone other than the intended recipient.
- Information systems housing PHI must be protected from intrusion.
- Each covered entity is responsible for ensuring that the data within
its systems has not been changed or erased in an unauthorized manner.
- Data corroboration, including the use of check sum, double-keying,
message authentication, and digital signature may be used to ensure data
integrity.
- Covered entities must also authenticate entities they communicate
with.
- Covered entities must make documentation of their HIPAA practices
available to the government to determine compliance.
- In addition to policies and procedures and access records, information
technology documentation should also include a written record of all
configuration settings on the components of the network, because these
components are complex, configurable, and always changing.
- Documented risk analysis and risk management programs are required. (The requirement of
risk analysis and risk management implies that the act’s security
requirements are a minimum standard and places responsibility on covered
entities to take all reasonable precautions necessary to prevent PHI
from being used for non-health purposes.)
Impact on the IT organization
Standards enforced by HIPAA include, but not limit to:
- 164.308(a)(1)(ii)D - Review of system activities
- 164.308(b) - Recording of ePHI activities
- 164.321(c)(1) -Protection of ePHI from improper alteration
|
