The Health Insurance Portability and Accountability Act of 1996 affects every organization that transmits medical and health records. HIPAA codifies standards for the transmission, storage, and access policies for what is defined as “protected health information,” PHI. Electronic transmission of PHI is of particular concern to healthcare providers, clearinghouses, and health plans.
The Health Insurance Portability and Accountability Act of 1996 created nearly 8 years ago and recently signed in 1999 established the government’s intent to reform the health care system. HIPAA addresses several areas: Define Transactions and Code set standards
- Identifier Standards
- Privacy Standards
- Security and Electronic signature standards
The first two areas address simplifying the administrative component of healthcare in general. The latter two specifically address the confidentiality and integrity of the data that is possessed by Health Care Organizations. Depending on the size of the organization, HIPAA defines explicit time frames of compliance that are necessary for each separate ruling of the aforementioned concerns.
HIPAA applies to every entity involved in electronic health care information – including all health care providers, health plans, employers, public health authorities, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations, universities, and single-physician offices. In addition, “A covered entity’s responsibility to implement security standards extends to the members of its workforce, whether they work at home or on-site.” (45 CFR Parts 160, 162, and 164 § 160.103) Therefore requiring the covered entities to implement and manage security for all external “at home” workforces, and all third party administrators (TPA). The regulation is not per-se bound to an industry more towards the type of information – PHI.
IT Security Governance
Entities covered by the act must:
- Ensure that all collection of personal health information online is appropriate and secure
- Ensure that personal health information is secured and appropriately stored locally and by third party partners.
Protect against any reasonably anticipated:
- Threats or hazards to the security or integrity of the information
- Unauthorized uses or disclosures of the information
- Properly adopt a complete security framework to address the concerns outlined under the HIPAA requirements.
- Reduce costs of administrative overhead
- Improve efficiency & effectiveness of national health system
- Reduce fraud & abuse
- Protect privacy of health information
- Protect patient rights
- Provide better quality of patient care from improved clinical data access
- Provide better information availability for decision-making
Increase security for internet-based technology