Health Insurance Portability and Accountability Act (HIPAA)

HIPAA was enacted in 1996. The act was created and designed with three important components; the first component is the Health Care Access, Portability, and Renew ability component. The second aspect of act deals with privacy issues. The last issue includes the simplification and standardization of claims processing.

• Insurance Coverage - Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Group health plans are prohibited from creating eligibility rules or assessing premiums for individuals in the plan based on health status, medical history, genetic information, or disability. This does not apply to private individual insurance.
• Privacy Issues - This portion of HIPAA is designed to protect the privacy and security of health data. If you have been to doctor’s office the last few years, you probably have been asked to sign all kinds of new forms; these forms are HIPAA privacy forms. It does not end with privacy and disclosure forms, people handling medical information must take special precautions when handling private medical information. This information includes but is not limited claims, patient history files, and enrollment files.

Standardized Transaction Sets The Administrative Simplification (AS) portion of HIPAA is intended to establish national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. The transaction sets are electronic and are known as X-12 EDI Electronic Data Interchange claims.

HIPAA Security Rule

The Security Rule of HIPAA complement the Privacy Rule. It calls for three types of security safeguards to be implemented for compliance: Administrative, Physical, and Technical.

Administrative Safeguards - are policies and procedures designed to clearly show how an organization will comply with HIPAA.

• Organizations that must comply with HIPAA are required to adopt a written set of privacy procedures. In addition, a privacy officer is to be designated who is to be responsible for developing and implementing all required policies and procedures.
• Procedures must clearly stipulate which classes of employees or actual employees that will have access to protected health information (PHI). Access to PHI must be restricted to only those employees who have a need for it to complete their job function.
• The procedures must address access authorization, establishment, modification, and termination.
• Organizations must show that an appropriate ongoing training program is in place regarding the handling of PHI. Employee who handle PHI must take part in this program.
• Organizations that out-source some of their business processes to a third party must ensure that their vendors also comply with HIPAA requirements. Typically, there are clauses in the contracts between the organizations and vendors stating that the vendor will meet the same data protection requirements that apply to the organization. Additionally, Care must be taken to determine if the vendor further out-sources any data handling functions to any other sub-contractors. If they are, the appropriate contracts and controls must be in place as well.
• A contingency plan must be in place for responding to emergencies. Organizations are responsible for backing up their data and having disaster recovery procedures in place.
• Internal audits must be carried out for the purpose of identifying potential security violations. Policies and procedures should specifically document the scope, frequency, and procedures of audits.
• Procedures must be place for addressing and responding to security breaches that are identified either during the audit or the normal course of operations.

Physical Safeguards - Physical access to PHI must be restricted and controlled to guard against inappropriate access to such data.

• Controls must be in place to restrict the introduction and removal of hardware and software from the network. If you are disposing of an old computer with PHI on it, it is the organizations responsibility to properly remove or destroy the data before disposal.
• Access to equipment containing personal health information needs to be restricted, controlled and monitored.
• Access to systems must be limited to authorized and properly authenticated users.
• Required access controls need to consist of facility security plans, maintenance records, and visitor sign-in and escorts.
• Workstations should be removed from high traffic areas and monitor screens should not be in direct view of the public.
• Sub-contractors and/or its agents who handle PHI must be fully trained on their physical access responsibilities as just as the contracting vendor and/or principal organization.

Technical Safeguards - Any organization engaged in the handling of PHI must control access to computer systems and protect communications containing PHI. These communications must be protected against interception.

• Any systems storing PHI must be protected from break-ins. Whenever PHI flows over an open computer network, some form of encryption must be used. If the network is closed encryption is optional.
• Each organization must ensure that the data within its systems is not changed or erased in an unauthorized manner.
• Double-keying, message authentication, digital signatures and check sums are all recommended to corroborate data and ensure integrity.
• Organizations authenticate its communications. Examples of this include: password systems, telephone callback and token systems.
• Documentation of an organizations HIPAA practices must be made available to the government to determine its compliance.
• Information technology documentation should always include a written record of all configuration settings on the components of the network.
• Documented risk analysis and risk management programs are required. Covered organizations must carefully weight the risks of their operations as they implement systems to comply with the act.