Overview of HIPAA

The American Health Insurance Portability and Accountability Act of 1996 (HIPAA), is a set of rules to be followed by doctors, hospitals and other health care providers.  HIPAA helps ensure that all medical records, medical billing, and patient accounts meet certain consistent standards with regard to documentation, handling, and privacy.

HIPAA Rules That Involve Critical Technology Components:

The Privacy Rule

The Privacy Rule establishes national standards to protect individuals medical records and other personal health information.  It applies to health plans, health care clearinghouses, and health care providers that conduct health care transactions electronically.  It requires that appropriate safeguards be in place to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.

The Privacy Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records and to request corrections.

The Security Rule

The HIPAA Security Rule addresses the privacy protection of electronically protected health information (PHI).  Similar to the Privacy Rule, the Security Rule also deals with identifiable health information – as defined by 18 HIPAA identifiers.  The Security Rule also defines standards, procedures and methods for protecting electronic PHI – with attention as to how PHI is stored, accessed, transmitted and audited.

The HIPAA Security Rule addresses the following aspects of security:

  • Administrative Safeguards – Assignment of a HIPAA security compliance team.
  • Physical Safeguards – Protection of electronic systems, equipment and data.
  • Technical Safeguards – Authentication and encryption used to control data access.

Newer Legislation—The HITECH Act

The American Recovery and Reinvestment Act of 2009 includes the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The HITECH Act expands the scope of the HIPAA Privacy and Security Rules and increases the penalties for HIPAA violations.  Specifically, it:

  • Applies the HIPAA privacy and security requirements directly to business associates;
  • Establishes mandatory federal security breach reporting requirements for HIPAA covered entities and their business associates;
  • Creates new privacy requirements for HIPAA covered entities and their business associates, including new accounting requirements for EHR, restrictions on marketing; fundraising, and other developments; and,
  • Establishes new criminal and civil penalties for noncompliance and new enforcement responsibilities.