Contact Join Member Login

HIPAA: Get the Facts

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. It has two major components: Title I, which protects health insurance coverage for workers and their families when they lose or change their jobs; and Title II, the Administrative Simplification Provisions, which aim to improve the efficiency and effectiveness of the U.S. health care system by encouraging the widespread use of electronic data interchange, partly by setting security standards to protect the confidentiality and integrity of "individually identifiable" health information.

What types of organizations are regulated under HIPAA?

HIPAA covers all health care organizations and virtually all organizations that handle electronic health information. This includes all health care providers, health plans, public health authorities, health care clearinghouses and self-ensured employers, as well as life insurers, information systems vendors, different types of service organizations and universities.

What is the relationship between HIPAA and Information Security?

The Administrative Simplification Provisions of HIPAA aim to improve the efficiency and effectiveness of the U.S. health care system by encouraging the widespread use of electronic information exchange. As part of that, the provisions set standards for security and privacy to help ensure the confidentiality and integrity of electronic patient data, including health, financial and administrative information.

What are the requirements of the Administrative Simplification Provisions?

The Administrative Simplification Provisions were designed to 1) improve efficiency in healthcare delivery by standardizing electronic data interchange and; 2) protect the confidentiality and security of health data by setting and enforcing standards. Specifically, HIPAA called upon the Department of Health and Human Services (HHS) to publish new rules that would ensure the standardization of electronic patient data, create unique health identifiers for individuals, employers, health plans and health care providers and set security standards to protect the confidentiality and integrity of "individually identifiable health information." To achieve these goals, the four rules created by HHS are:

  • Employer Identifier Rule: Standardize the identifying numbers assigned to employers in the health care industry by using the existing Employer Identification Number (EIN), which is assigned and maintained by the Internal Revenue Service.
  • Electronic Transactions and Code Sets Standards: Establishes standard data elements, codes and formats for submitting electronic claims and other health care transactions. 
  • Privacy Rule: Protects the privacy of all individually identifiable health information in the hands of covered entities, regardless of whether the information is or has been in electronic form. The rule establishes the first set of basic national privacy standards and fair information practices that provide all Americans with a basic level of protection of the confidentiality of their health information. It also specifically defines the authorized uses and disclosures of "individually-identifiable" health information. 
  • Security Rule: The Security Rule provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual. It requires covered entities to ensure the confidentiality, integrity and availability of all electronic individually identifiable health information the covered entity creates, receives, maintains or transmits. The Security Rule also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of electronic personal health information, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce.

What type of information is protected by the HIPAA Security Rule?

The following patient information is protected: addresses, dates, telephone/fax numbers, social security numbers, medical records numbers, patient account numbers, insurance plan numbers, vehicle information, license numbers, medical equipment numbers, photographs, fingerprints, e-mail and Internet addresses.

What does the HIPAA Security Rule specifically require of information security programs?

The Security Rule requires covered entities to:

  • Protect the confidentiality, integrity and availability of all electronic protected health information (EPHI) the covered entity creates, receives, maintains or transmits; 
  •  Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
  • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule; and 
  • Ensure compliance by its workforce

It includes specific security standards in three main areas that must be met in order to ensure compliance:

  • Administrative Safeguards: The Administrative Safeguards standards focus on the security management process and include the policies and procedures designed to prevent, detect and respond to security violations. This standard contains four required implementation specifications: risk analysis, risk management, sanction policy and information system activity review.
  • Physical Safeguards: The Physical Safeguards standards focus on protection of EPHI from unauthorized disclosure, modification or destruction. This section includes standards for facility access controls; standards for proper workstation use and physical security of workstations that access EPHI; and policies and procedures that control receipt, movement and removal of hardware and electronic media that contain EPHI. 
  • Technical Safeguards: The Technical Safeguards section specifies how to use technology to protect EPHI. These standards focus on access control and authentication; transmission security (including the need to protect both the data's integrity and confidentiality such as with encryption); policies and procedures to protect EPHI from improper alteration or destruction; and methods for providing audit controls.

Does the HIPAA Security Rule mandate the use of specific products?

The Security Rule is intended to be scalable and flexible; therefore, it does not require specific technologies to be used. Organizations may choose solutions that are appropriate to their operations, as long as the selected solutions are supported by a security assessment and risk analysis.

How are the provisions of HIPAA enforced?

HIPAA calls for severe civil and criminal penalties for non-compliance, including, fines up to $25K for multiple violations of the same standard in a calendar year; and fines up to $250K and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information.

What is being done in Europe with regard to protecting patients' health information?

In 1995, the European Union (EU) introduced the European Data Protection Directive, which seeks to provide a high level of protection for the privacy of individuals and the free movement of personal data within the EU and across the national borders of the EU member countries. It sets strict limits on the collection and use of personal data and demands that each Member State set up an independent national body responsible for the protection of the data. The Directive states that personal data must be processed fairly and lawfully, collected for specific, explicit and legitimate purposes and kept in a form that permits identification of data subjects for no longer than is necessary. It places some very specific information-handling requirements on the data any organization wants or needs to process in one of the EU countries. U.S. organizations must meet the requirements of the EU Data Protection Directive to continue doing business if it involves sharing and/or processing personal health data with these countries.

The U.S. Department of Commerce and representatives of the EU developed a "Safe Harbor" Agreement in July 2000 to help bridge the difference between the way the U.S. government and EU approach privacy issues. The Safe Harbor provides a privacy compliance framework and a way for U.S. organizations to avoid experiencing interruptions in their business dealings with the EU, or facing prosecution by the European authorities under European privacy laws. Certifying a U.S. organization to the Safe Harbor requirements will assure that EU entities know that the organization provides "adequate" privacy protection as required by the EU Directive. Basically the Safe Harbor framework provides a simpler and cheaper means of complying with the privacy adequacy requirements of the EU Directive.

What is CSIA's position on HIPAA?

CSIA believes that efforts to ensure the security of personal information, including health information as addressed by HIPAA and the EU Data Protection Directive, are vital to the functioning of the global economy and delivery of citizen services. To ensure the confidentiality and integrity of personal information, the security of digital health information should be further considered as we move toward widespread adoption of electronic health records.