HIPAA Compliance 101

The Health Insurance Portability and Accountability Act (HIPAA) has changed the healthcare information security landscape in the U.S. Compliance has become a critical issue for all organizations that come in contact with health information. Here is a summary the HIPAA basics.

HIPAA, also known as the Kennedy-Kassebaum Act, was signed into law by the U.S. Congress in 1996 to establish health insurance reform and healthcare administrative simplification for various healthcare entities including: health plans, healthcare clearinghouses such as billing services and community health information systems, and healthcare providers that transmit healthcare data in a way that is regulated by HIPAA.

Governed by HHS, HIPAA Title I supports the continuation of health insurance coverage for workers and their families when they change or lose their jobs. Title II defines numerous offenses relating to healthcare and healthcare-related information and sets civil and criminal penalties for agencies that fail to abide by HIPAA standards.

The most significant provisions of Title II for IT organizations are its Administrative Simplification rules. Per the requirements of Title II, HHS has established five rules regarding Administrative Simplification:

• Privacy Rule
• Transactions and Code Sets Rule
• Security Rule
• Unique Identifiers Rule
• Enforcement Rule

Various security standards apply to each of these rules, particularly for the Security Rule, which establishes three main security objectives: Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Each safeguard area includes both required and addressable implementation specifications. Required specifications must be adopted and administered as dictated by the rule.

Addressable specifications are more flexible. Yet according to the rules for both required and addressable specifications, how organizations satisfy individual security requirements and which technology they choose are left to the business decisions of each entity.

Healthcare organizations face fines for noncompliance with HIPAA regulations. Penalties include the following: general fines of up to $25,000 per incident, as well as up to $50,000, imprisonment for not more than one year, or both for wrongful disclosure of individually identifiable health information.

HIPAA Fines are Real

In July 2008, HHS announced a formal action against Providence Health & Services. HHS required Providence to pay $100,000 and implement a detailed Corrective Action Plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft or loss.

This case emphasizes that there is a renewed interest in HIPAA and sends a clear message that HHS has the authority and intent to take enforcement action. This has been a debate of sorts ever since the passage of HIPAA. These matters are frequently resolved on a consultative basis with HHS Office of Civil Rights (OCR).They prefer to work with the healthcare organization to resolve problems. The HHS Office of Inspector General (OIG), however, has been critical of HHS’ lack of enforcement activity in the past. Providence is an example that shows HHS can and will act for HIPAA violations.