HIPAA 101 – An introduction to HIPAA
HIPAA, otherwise known as the Health Insurance Portability and Accountability act, which was first introduced in 1996, demanded that the department for human services and health in the U.S. (HHS) should create specific regulations to protect the security and privacy of health information. In order to properly fulfill this new requirement, the HHS published the HIPPA security rule, and the HIPAA privacy rule. The privacy rule, otherwise referred to as the standards for privacy of individual health information, establishes the standards that should be used nationally to protect health information. The security rule addresses the non-technical and technical safeguards that covered entities needed in place to ensure individuals’ information (or e-PHI) remains secure.
Within the HHS, the office of civil rights is responsible for enforcing the security and privacy rules, utilizing voluntary compliance activities, and penalties. Before HIPAA was introduced, there was no widely accepted set of general requirements or security standards available for protecting the health information that exists in the care industry. However, new technologies have continued to evolve, and the health care industry has started to move away from the process of using paper, to rely more heavily on utilizing electronic information systems to answer eligibility questions, pay claims and conduct various other clinical administrative functions.
Currently, providers are using clinical applications such electronic health records, computerized physician order entries, and electronic pharmacy, laboratory and radiology systems. Health plans more regularly provide access to care management and claims, as well as various self-service options, meaning that the workforce in the medical industry has become more efficient and mobile. However, the rising online adoption has increased the potential security risks that are emerging.
One of the primary goals of the security rule is to ensure that individuals’ private health information remains secure, while allowing certain entities to engage with new technologies and improve the way the patient care can work. Because the marketplace in healthcare is so vast and diverse, the security rule needed to be versatile and flexible enough to give covered entities access to policies, technologies and procedures appropriate for that entity’s size and organizational structure. At the same time, it has to make sure it doesn’t limit innovations that help the industry and help in its cause to keep electronic healthcare information of patients private.
Like many simplification rules regarding Administration, the Security Rule applies to health care clearinghouses, health plans, and providers of healthcare who transmit information and data about health in electronic form in combination with a transaction for which standards have been adopted under HIPAA.
The Information that Is Protected
The HIPAA privacy rule is used to protect the privacy of individual health information, known as protected health information. The security rule, on the other hand, protects the subset of that information covered by the privacy rule, which can be any individual health information created, maintained, received or transmitted by a covered entity in an electronic way.
The security rule means that any covered entity must maintain the appropriate technical, physical and administrative safeguards established for protecting personal information. Covered entities need to ensure that all of the e-PHI they create, maintain, transmit or receive is confidential, and maintains its integrity. They must also take steps to identify potential threats to the security of that information, and protect it against problems.
The Security Rule and Confidentiality
According to the security rule, confidentiality can be defined as e-PHI that is not made available or disclosed to people who are not authorized to view it. The confidentiality requirements of the security rule directly support the privacy rule when it comes to improper disclosure and use of personal healthcare information. The security rule is also used to promote further goals of maintaining the availability and integrity of e-PHI. Beneath the security rule, integrity refers to the fact that personal healthcare information in an electronic medium cannot be destroyed or altered without authorization. Availability suggests that the e-PHI is usable and accessible on demand by any person who is authorized.
One important thing to remember about the HHS, is that it recognizes covered entities can range from incredibly small providers, to large nation-wide health plans. Therefore, the rule regarding security is scalable and flexible to ensure that covered entities are still able to assess their own needs, and create solutions that are appropriate to their particular environments. The rule will not dictate exact measures, but forces the entity to consider certain key factors, including:
- The cost of security measures
- The complexity, capability and size of the entity
- The possible risk or impact to e-PHI
- The software, hardware, or technical infrastructure.
Self hosted cloud such as FileCloud could help organizations in health care industry meet HIPAA standard. Here is a great example of how FileCloud helped Precyse to provide cloud features, while meeting HIPAA standards.
Read more about our HIPAA compliance here
Author: Rahul Sharma
image courtesy: Stuart Miles, freedigitalphotos.net