Home » Cyber Security Issues » HIPAA
HIPAA: Get the FactsWhat is HIPAA?The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. It has two major components: Title I, which protects health insurance coverage for workers and their families when they lose or change their jobs; and Title II, the Administrative Simplification Provisions, which aim to improve the efficiency and effectiveness of the U.S. health care system by encouraging the widespread use of electronic data interchange, partly by setting security standards to protect the confidentiality and integrity of "individually identifiable" health information. What types of organizations are regulated under HIPAA?HIPAA covers all health care organizations and virtually all organizations that handle electronic health information. This includes all health care providers, health plans, public health authorities, health care clearinghouses and self-ensured employers, as well as life insurers, information systems vendors, different types of service organizations and universities. What is the relationship between HIPAA and Information Security?The Administrative Simplification Provisions of HIPAA aim to improve the efficiency and effectiveness of the U.S. health care system by encouraging the widespread use of electronic information exchange. As part of that, the provisions set standards for security and privacy to help ensure the confidentiality and integrity of electronic patient data, including health, financial and administrative information. What are the requirements of the Administrative Simplification Provisions?The Administrative Simplification Provisions were designed to 1) improve efficiency in healthcare delivery by standardizing electronic data interchange and; 2) protect the confidentiality and security of health data by setting and enforcing standards. Specifically, HIPAA called upon the Department of Health and Human Services (HHS) to publish new rules that would ensure the standardization of electronic patient data, create unique health identifiers for individuals, employers, health plans and health care providers and set security standards to protect the confidentiality and integrity of "individually identifiable health information." To achieve these goals, the four rules created by HHS are:
What type of information is protected by the HIPAA Security Rule?The following patient information is protected: addresses, dates, telephone/fax numbers, social security numbers, medical records numbers, patient account numbers, insurance plan numbers, vehicle information, license numbers, medical equipment numbers, photographs, fingerprints, e-mail and Internet addresses. What does the HIPAA Security Rule specifically require of information security programs?The Security Rule requires covered entities to:
It includes specific security standards in three main areas that must be met in order to ensure compliance:
Does the HIPAA Security Rule mandate the use of specific products?The Security Rule is intended to be scalable and flexible; therefore, it does not require specific technologies to be used. Organizations may choose solutions that are appropriate to their operations, as long as the selected solutions are supported by a security assessment and risk analysis. How are the provisions of HIPAA enforced?HIPAA calls for severe civil and criminal penalties for non-compliance, including, fines up to $25K for multiple violations of the same standard in a calendar year; and fines up to $250K and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information. What is being done in Europe with regard to protecting patients' health information?In 1995, the European Union (EU) introduced the European Data Protection Directive, which seeks to provide a high level of protection for the privacy of individuals and the free movement of personal data within the EU and across the national borders of the EU member countries. It sets strict limits on the collection and use of personal data and demands that each Member State set up an independent national body responsible for the protection of the data. The Directive states that personal data must be processed fairly and lawfully, collected for specific, explicit and legitimate purposes and kept in a form that permits identification of data subjects for no longer than is necessary. It places some very specific information-handling requirements on the data any organization wants or needs to process in one of the EU countries. U.S. organizations must meet the requirements of the EU Data Protection Directive to continue doing business if it involves sharing and/or processing personal health data with these countries. The U.S. Department of Commerce and representatives of the EU developed a "Safe Harbor" Agreement in July 2000 to help bridge the difference between the way the U.S. government and EU approach privacy issues. The Safe Harbor provides a privacy compliance framework and a way for U.S. organizations to avoid experiencing interruptions in their business dealings with the EU, or facing prosecution by the European authorities under European privacy laws. Certifying a U.S. organization to the Safe Harbor requirements will assure that EU entities know that the organization provides "adequate" privacy protection as required by the EU Directive. Basically the Safe Harbor framework provides a simpler and cheaper means of complying with the privacy adequacy requirements of the EU Directive. What is CSIA's position on HIPAA?CSIA believes that efforts to ensure the security of personal information, including health information as addressed by HIPAA and the EU Data Protection Directive, are vital to the functioning of the global economy and delivery of citizen services. To ensure the confidentiality and integrity of personal information, the security of digital health information should be further considered as we move toward widespread adoption of electronic health records. |