CHAPTER 8:
HIPAA
HIPAA – the Health Insurance Portability and Accountability Act 1996 – applies to health plans, health care clearing houses and health care providers, which are known in the Act as ‘covered entities’.
The Act requires health care organizations to protect – and keep up-to-date – their patients’ health care records (which includes patient account handling, billing and medical records), in order to streamline health industry processes, reduce paperwork, make the detection and prosecution of fraud easier, and enable workers to more easily change jobs, even if they have pre-existing medical conditions.
The information security requirements of the Act are contained in Health Insurance Reform: Security Standards; Final Rule (45 CFR Parts 160, 162 and 164; 20 February 2003). This requires covered entities to:
‘ensure the confidentiality, integrity, and availability of all electronic protected health information they create, receive, maintain, or transmit’ [S164.306(a)(1)];
‘protect against any reasonably anticipated threats or hazards to security or integrity of such information’ [S164.306(a)(2)]; and
‘protect against any reasonably anticipated uses or disclosures of such information that are not permitted’ [S164.306(a)(3)].
The compliance date, for all covered entities, with the exception of small health plans (which had an extra year), was 20 April 2005.
The Administrative Simplification (AS) Provisions set out the specific rules that institutions must implement in order to comply with HIPAA; these include rules for EDI, for electronic signatures and for standards of privacy. They are intended to be technology-independent and each institution is expected to deploy the technology it considers appropriate.