The Health Insurance Portability and Accountability Act (HIPAA) is the catalyst for change in healthcare. Enacted by Congress on August 21, 1996, its purpose is to enable better access to health insurance, reduce fraud and abuse and lower the overall cost of healthcare in the United States.

HIPAA addresses two primary concerns in healthcare: portability and accountability. Title I protects health insurance coverage for workers and their families when they change or lose their jobs. Title II, the Administrative Simplification provisions, requires the Department of Health and Human Services (HHS) to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. It also addresses the security and privacy of health data.

HIPAA’s Three Rules
As the agency charged with drafting the act, HHS distilled the Administrative Simplification provisions into three rules: the Privacy Rule, Transactions and Code Set Standard, and the Security Rule. HHS oversees and enforces the Privacy Rule, while the Centers for Medicare & Medicaid Services (CMS) oversees and enforces all other Administrative Simplification requirements, including the Security Rule.

Privacy Rule
Compliance deadline April 15, 2003
The Privacy Rule provides the first comprehensive Federal protections for the privacy of health information. It specifically defines the authorized and unauthorized disclosures and uses of individually identifiable health information.

Transactions and Code Set Standard
Compliance deadline October 16, 2003
This rule mandates use of predefined transaction standards and code sets for communications and transactions in the healthcare industry.

Security Rule
Compliance deadline April 21, 2005
The Security Rule addresses security of electronic protected health information (ePHI). Unlike the Privacy Rule, which provided broader protection for all forms of health information—paper, oral, and electronic—the Security Rule is concerned with the technical aspects of protecting ePHI.

The Security Rule—What You Need To Know
Prior to HIPAA, no generally accepted set of standards existed for protecting health information. As technology evolved, and the healthcare industry moved from paper processes to computers for administrative and clinical functions—such as Web-based applications, CPOE systems and remote access for physicians—the security standards in HIPAA were developed for two primary purposes:

• to protect certain electronic health care information that may be at risk
• to protect individual health data while permitting appropriate access to that information—and promote the use of electronic health information in the industry

HIPAA security standards are divided into administrative, physical, and technical safeguards.

• Administrative safeguards include assignment or delegation of security responsibility to an individual and security training requirements.
• Physical safeguards are the mechanisms required to protect electronic systems, equipment and the data they hold, from threats, environmental hazards and unauthorized intrusion. They include restricting access to EPHI and retaining off site computer backups.
• Technical safeguards are the automated processes used to protect data and control access to data. They include using authentication controls to verify that the person signing onto a computer is authorized to access that EPHI, or encrypting and decrypting data as it is being stored and/or transmitted.

Each set of safeguards comprises a number of standards, which in turn comprise implementation specifications that are either required or addressable. Required specifications must be implemented; addressable specifications must be assessed to determine if they’re reasonable and appropriate in your environment.

next steps