Patient Information - The HIPAA Challenge

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 has fostered the use of electronic transactions, simplifying healthcare administration and reducing overhead.

However, the computerization of patient records has created an increased security risk from various sources, such as intrusion attempts, unauthorized internal access and other security attacks. HIPAA therefore mandates security measures be taken to protect sensitive data, ensuring that only patients and their healthcare providers have access to patient medical information. According to the Final Rule of the Act’s Health Insurance Reform: Security Standards, HHS states:

“Section 1173(d) of the Act provides that covered entities that maintain or transmit health information are required to maintain reasonable and appropriate administrative, physical, and technical safeguards to ensure the integrity and confidentiality of the information and to protect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized use or disclosure of the information. These safeguards must also otherwise ensure compliance with the statute by the officers and employees of the covered entities.”

The Title II Administrative Simplification Security Rule states that specific security issues related to transmitting and storing patient data must be addressed. Safeguard initiatives where solutions must be implemented include:

• Security Management Process
• Administrative Safeguards
• Assigned Security Responsibility
• Workforce Security
• Information Access Management
• Security Awareness and Training
• Security Incident Procedures
• Contingency Plan
• Evaluation
• Business Associate Contracts and Other Arrangements
• Physical Safeguards
• Facility Access Controls
• Workstation Use
• Workstation Security
• Device and Media Controls
• Technical Safeguards
• Access Control
• Audit Controls
• Integrity
• Person or Entity Authentication
• Transmission Security

To comply with HIPAA regulations and protect patient information, healthcare organizations need to update their legacy computer systems, ramping up their information security capabilities, and defining and implementing business processes that align with security objectives.

The HIPAA Security Standards do not specify particular technology requirements, so each affected healthcare organization must assess its own risk and develop security measures accordingly. Organizations must then certify their security programs through self-certification or by a private accreditation entity.

Addressing the HIPAA Security Rule and implementing the technical, administrative, and physical safeguards that will ensure compliance requires a comprehensive information security program.