HIPAA 101

Printer Friendly Version

HIPAA (Public Law 104-91) stands for the Health Information Portability and Accountability Act and the goal of this regulation is to protect personal information about consumer health records. HIPAA is a regulated by the U.S. Department of Health and Human Services and has vast information security ramifications for healthcare providers and their affiliate organizations. The original HIPAA deadline was October 15, 2002, however, qualified organizations who filed an extension have until April 14, 2003 to comply. Small healthcare providers have until October 16, 2003 to comply.

Where Did HIPAA Come From?
HIPAA was enacted by Congress and signed into law by President Clinton on August 21, 1996. The goal of HIPAA is to ensure that healthcare providers secure electronic records about patients in the same manner that hardcopy records are secured. By securing records, the healthcare industry can improve their level of services since improved security will lead to greater adoption of electronic transactions. One of the reasons that HIPAA was enacted was because the U.S. Federal Government wants all Medicare transactions to occur electronically by October 16, 2003. Before Congress could mandate patient records surrounding Medicare occur electronically, the security and privacy of patient records needed to be guaranteed.

Congress enacted HIPAA in response to the growing use of the Internet and electronic transactions. HIPAA is a privacy law to protect consumers from having their personal health information exploited by insurance companies, employers, and anyone else who may try to exploit, disclose, or publish their personal health information. In the Federal Register, HIPAA is more informally known as the Privacy Rule.

HIPAA is far more complex than the Year 2000 date problem that information technology administrators faced in 1999, and that is why there are few guidelines available and few organizations providing compliancy services.

Impact of HIPAA
HIPAA is not only good for consumers, it is also good for healthcare providers. By complying with the due diligence that HIPAA requires, healthcare providers can reduce the risk of litigation and help build patient loyalty. If records are secured properly, it reduces their risk of being stolen or viewed by people who aren't working in the best interest of the patient.

A wide variety of people and organizations are affected by HIPAA including:

• Hospitals
• Doctors
• Dentists
• Medical Labs
• Pharmacies
• Pharmaceutical Companies
• Health Insurance Providers
• Consumers

There are both civil and criminal penalties possible for non-compliance and the Department of Justice has the discretion on how stiff to make the penalties. The maximum is $100.00 per violation. That may not sound like much but if a database of 10,000 patients gets inadvertently exposed to an insurance provider, the penalties add up quickly.

Help for HIPAA Audits
There are only a handful of auditing tools that can help organizations become HIPAA compliant. These tools have not been certified and using them is no guarantee that all HIPAA compliances will be met. However, these tools do have built-in HIPAA modules and if used properly can help reduce the risk of failing a HIPAA audit. These tools include:

• RiskWatch
• XACTA
• RiskPAC

Healthcare providers will need to conduct a Security Audit, a Privacy Audit, and an online penetration test so that they can put together a list of items requiring corrective action. Conducting security and privacy audits mean that all the current policies and procedures are reviewed an analyzed for deficiencies. In this short article, it is not possible to go over the extent of everything that you'll need to do to help your organization become HIPAA compliant, but here are some tasks that should definitely be on your list to help you get started.

Tasks Related to System Security

These tasks will help ensure that systems, data, and networks are secured properly:

• Make sure you have procedures for data backups
• Make sure you have an authentication mechanism that verifies user identity
• Make sure you have policies and procedures for user authentication
• Make sure you have encryption policies and procedures for record transactions
• Ensure that policies and controls exist to monitor data integrity
• Verify that anti-virus tools exist to prevent data corruption and tampering
• Ensure password policies are documented and understood by all users
• Procedures for handling electronic media (CDs, tapes, cartridges) should be documented