What is HIPAA?
The Standards for Privacy of Individually Identifiable Health Information(Privacy
Rule) established a set of standards to protect health information. The U.S. Department
of Health and Human Services(HHS) issued the Privacy Rule to implement the requirement
of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). HIPAA
provides guidelines for the organisations to implement secure handling of protected
Need for HIPAA
The main aim of HIPAA is to protect the individual's health information during its
transmission by a covered entity or its business associate, in any form, whether
electronic, paper or oral. The Privacy Rule calls this information as Protected
Health Information (PHI). If a system handles billing as well as client tracking,
then it must support HIPAA standards. Apart from this, automation, secure transaction,
privacy are expected to result in administrative efficiency.
E-billing is facing serious threats due to hackers. HIPAA applies to any organization
that transmits any electronic billing information such as invoices, or information
needed to look up insurance information to any health insurance company, including
Medicare or Medicaid. This means that HIPAA typically regulates organizations providing
counseling, therapy or other services that need to bill insurance companies.
HIPAA in Risk Management
The 2009 American Recovery and Reinvestment Act (ARRA), includes a section called
the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The HITECH Act adopts “electronic health records” (EHRs) to improve efficiency and
lower healthcare costs. Due to the increase in privacy and security risks, the HITECH
Act introduced new security and privacy related requirements for business associates
The fines for non-compliance with the HIPAA privacy rule have increased significantly
with the introduction of the HITECH Act. An organization can now be fined up to
$1,500,000 per calendar year for each violation.
HIPAA in IT
Security standards applies to the protection of electronically stored or transmitted
information from corruption by viruses or theft by hackers or sending PHI on unsecured
channels. The security standards are not intended to address how paper information
is stored. They mandate safeguards for physical storage maintenance, protection,
and access to individual health information.
Access to equipment containing useful information should be carefully controlled
and monitored. Permission to access hardware and software must be limited to authorized
individuals. Access controls must consist of security plans, maintenance records,
and visitor sign-in and escorts. Workstations should be removed from high traffic
areas and monitor screens should not be in direct view of the public. If the covered
entities utilize contractors or agents, they too must be fully trained on their
physical access responsibilities. Automated security updates are another feature
that could be used to help limit the scope of security threats.
How to follow HIPAA?
IT organisations must follow the below mentioned HIPAA guidelines inorder to protect
Health Information from unauthorised usage:
- Implement technical policies and procedures for electronic information systems that
maintain electronic protected health information to allow access only to those persons
or software programs that have been granted access rights.
- Implement hardware, software, and procedural mechanisms that record and examine
activity in information systems that contain or use electronic protected health
- Implement policies and procedures to protect electronic protected health information
from improper alteration or destruction.
- Implement procedures to verify that a person or entity seeking access to electronic
protected health information is the authorised one.