The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the United States Congress in 1996. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.
The administrative simplification provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation’s health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.
With the vast amount of process transition to meet HIPAA requirements and the monumental move toward electronic processing of healthcare information, it is essential to pay close attention to how patient information is processed.
The Security Rule within HIPAA governs Electronic Protected Health Information (EPHI) and has three specific areas required for compliance.
1) Administrative Safeguards – policies and procedures designed to clearly show how an organization will comply with the act
2) Physical Safeguards – controlling physical access to protect against inappropriate access to protected data
3) Technical Safeguards – controlling access to computer systems and enabling covered entities to protect communications containing Protected Health Information (PHI) transmitted electronically over open networks from being intercepted by anyone other than the intended recipient
Examples of enforcing compliance to HIPAA regulations include ensuring access to patient information is on a need-to-know basis; putting safeguards in place to uphold the integrity of electronic data and guarantee unauthorized changes and data loss are prevented; significant configuration reporting requirements; documented risk analysis and risk management programs.
Most recently, through the HITECH Act, there are also notification requirements for data breaches where affected individuals, the government, and the media must be made aware of unauthorized access to protected information.