The Health Insurance Portability and Accountability Act of 1996 (HIPAA) defines as its primary purpose as “improving the portability and continuity of health insurance coverage in the group and individual markets.” It designed and established standards and requirements for electronic transmission and storage of certain healthcare information. The Administrative Simplification transaction standards mandated by HIPAA will mean a significant increase in use, transfer and storage of electronic data – all of which must be kept private, secure and portable.
The final privacy rules became effective in April 2001 and gave healthcare providers 24 months to become compliant. If companies do not have processes and procedures into place by April 2003, then the Department of Health and Human Services (DHHS) can impose civil penalties with hefty fines per violations. There may also be criminal penalties for security breaches committed knowingly and additional or more severe penalties for trying to conceal a breach.
Security Standards Required by HIPAA
Medical providers must have a contingency plan. Planning for emergencies includes regular backup of data, storage of backup media, critical facilities availability and disaster recovery procedures. Maintaining written policies and procedures that document compliance of HIPAA rules is also part of the security requirements.
HIPPA was enacted to protect patient privacy, and as a result all patient-specific information is protected health information” (PHI) including computer hard drives, diskettes, e-mail, backup tapes, voice recordings, and similar media as well as paper printouts and reports. The rules protect the data and individuals privacy independent of the operating platform and means of communication. They are equally applicable in a system that communicates over a local area network, a wide area network, or the Internet.
In addition to privacy and security standards, HIPAA sets standards for electronic signatures, unique identifiers, and eight Electronic Data Interchange (EDI) code sets that define the format for electronically transmitted health information across Medicare, Medicaid, other Federal and private health programs.
- April 14, 2003: Privacy: Includes all covered entities except small health plans.
- April 16, 2003: Electronic Health Care Transaction and Code Sets: All covered entities must have started software and systems testing.
- October 16, 2003: Electronic Health Care Transaction and Code Sets: All covered entities who filed for an extension and small health plans.
- April 14, 2004: Privacy: Small health plans.
- July 30, 2004: Employer Identifier Standard: All covered entities except small health plans.
- April 20, 2005: Security standards must be implemented.
Administrative Safeguards Issues
The following are the area that must be addressed in order to meet the new tough standards under HIPAA.
|A. Risk Analysis
B. Risk Management
C. Sanction Policy
D. Information System Activity Review
E. Assigned Security Responsibility
F. Authorization and/or Supervision
G. Workforce Clearance Procedure
H. Termination Procedure
I. Isolating Health Care Information
J. Clearinghouse functions.
K. Access Authorization
L. Access Establishment and Authorization
M. Security Reminders
N. Protection from Malicious Software
P. Response and Reporting
Physical Safeguards Issues
|A. Contingency Operations
B. Facility Security Plan
C. Access Control and Validation Procedures
D. Maintenance Records
E. Workstation Use
F. Workstation Security
Technical Safeguards Issues
|A. Unique User Identification
B. Emergency Access Procedure
C. Automatic Logoff
D. Encryption and Decryption
E. Audit Controls
We look forward to serving your employee benefit administration.