Health Insurance Portability and Accountability Act (HIPAA)
HIPAA was enacted in 1996. The act was created and designed with three important
components; the first component is the Health Care Access, Portability, and Renew ability
component. The second aspect of act deals with privacy issues. The last issue includes the
simplification and standardization of claims processing.
Insurance Coverage - Title I of HIPAA protects health insurance coverage for
workers and their families when they change or lose their jobs. Group health plans are
prohibited from creating eligibility rules or assessing premiums for individuals in the
plan based on health status, medical history, genetic information, or disability. This
does not apply to private individual insurance.
Privacy Issues - This portion of HIPAA is designed to protect the privacy and
security of health data. If you have been to doctor’s office the last few years, you
probably have been asked to sign all kinds of new forms; these forms are HIPAA privacy
forms. It does not end with privacy and disclosure forms, people handling medical
information must take special precautions when handling private medical information.
This information includes but is not limited claims, patient history files, and
Standardized Transaction Sets The Administrative Simplification (AS) portion
of HIPAA is intended to establish national standards for electronic health care transactions and
national identifiers for providers, health insurance plans, and employers. The transaction sets are
electronic and are known as X-12 EDI Electronic Data Interchange claims.
HIPAA Security Rule
The Security Rule of HIPAA complement the Privacy Rule. It calls for three types of
security safeguards to be implemented for compliance: Administrative, Physical, and Technical.
Administrative Safeguards - are policies and procedures designed to clearly
show how an organization will comply with HIPAA.
Organizations that must comply with HIPAA are required to adopt a written set of
privacy procedures. In addition, a privacy officer is to be designated who is to be
responsible for developing and implementing all required policies and procedures.
Procedures must clearly stipulate which classes of employees or actual employees that
will have access to protected health information (PHI). Access to PHI must be
restricted to only those employees who have a need for it to complete their job
The procedures must address access authorization, establishment, modification, and
Organizations must show that an appropriate ongoing training program is in place
regarding the handling of PHI. Employee who handle PHI must take part in this program.
Organizations that out-source some of their business processes to a third party must
ensure that their vendors also comply with HIPAA requirements. Typically, there are
clauses in the contracts between the organizations and vendors stating that the vendor
will meet the same data protection requirements that apply to the organization.
Additionally, Care must be taken to determine if the vendor further out-sources any
data handling functions to any other sub-contractors. If they are, the appropriate
contracts and controls must be in place as well.
A contingency plan must be in place for responding to emergencies. Organizations are
responsible for backing up their data and having disaster recovery procedures in place.
Internal audits must be carried out for the purpose of identifying potential security
violations. Policies and procedures should specifically document the scope, frequency,
and procedures of audits.
Procedures must be place for addressing and responding to security breaches that are
identified either during the audit or the normal course of operations.
Physical Safeguards - Physical access to PHI must be restricted and
controlled to guard against inappropriate access to such data.
Controls must be in place to restrict the introduction and removal of hardware and
software from the network. If you are disposing of an old computer with PHI on it, it
is the organizations responsibility to properly remove or destroy the data before
Access to equipment containing personal health information needs to be restricted,
controlled and monitored.
Access to systems must be limited to authorized and properly authenticated users.
Required access controls need to consist of facility security plans, maintenance
records, and visitor sign-in and escorts.
Workstations should be removed from high traffic areas and monitor screens should not
be in direct view of the public.
Sub-contractors and/or its agents who handle PHI must be fully trained on their
physical access responsibilities as just as the contracting vendor and/or principal
Technical Safeguards - Any organization engaged in the handling of PHI must
control access to computer systems and protect communications containing PHI. These communications
must be protected against interception.
Any systems storing PHI must be protected from break-ins. Whenever PHI flows over an
open computer network, some form of encryption must be used. If the network is closed
encryption is optional.
Each organization must ensure that the data within its systems is not changed or erased
in an unauthorized manner.
Double-keying, message authentication, digital signatures and check sums are all
recommended to corroborate data and ensure integrity.
Organizations authenticate its communications. Examples of this include: password
systems, telephone callback and token systems.
Documentation of an organizations HIPAA practices must be made available to the
government to determine its compliance.
Information technology documentation should always include a written record of all
configuration settings on the components of the network.
Documented risk analysis and risk management programs are required. Covered
organizations must carefully weight the risks of their operations as they implement
systems to comply with the act.