The passage of the Health Insurance Portability and Accountability Act (HIPAA)
in 1996 gave the federal government the ability to mandate the ways in which
health care organizations store and transmit individuals’ personal health
information. Until HIPAA’s passage, no national or industry standards governed
the privacy and security of an individual’s health information.
The HIPAA regulation has two parts that directly affect the information
technology (IT) systems and software implemented by a healthcare organization:
(1) The Privacy Rule and (2) The Security Rule.
The purpose of the Privacy Rule is to establish minimum Federal standards for
safeguarding the privacy of individually identifiable health information. Covered
entities, which must comply with the Rule, include health plans, health care
clearing houses, and certain health care providers.
The Rule confers certain rights on individuals, including rights to access and
amend their health information and to obtain a record of when and why their
Protected Health Information (PHI) has been shared with others for certain
purposes.
The HIPAA regulation also requires covered entities to take specific steps to
protect Electronic PHI (ePHI). All security requirements can be defined as one of
three basic safeguards: (1) administrative (2) physical and (3) technical. Some of
the basic requirements are listed below and include, but are not limited to:
Adopting polices and procedures to protect ePHI
Adopting policies and procedures to protect the security of patient and enrollee information, including a policy on workstation use
Developing and implementing data access control procedures
Implement technical mechanisms to prevent unauthorized access
Establish a reporting and response system for confidentiality violations
The HIPAA Privacy and Security Rule requirements are designed to be
ubiquitous, technology neutral and scalable from the smallest of provider
practices to the largest of health plans. Since many of the requirements of the
Privacy and Security Rule relate to policies and procedures, many covered
entities will find compliance not an application of an exact template process, but
rather a broad-based customized implementation based on a host of complex
factors unique to each organization. This means that the IT systems and
software used in implementing compliance must be flexible, configurable,
customizable and scalable so that the organization can fit the tools into existing
processes to achieve compliance.
