HIPPA

The Health Insurance Portability and Accountability Act of 1996, addresses the security and privacy of health data. HIPAA requires that the privacy of health records be protected, wherever they reside or whenever they are moved. Healthcare organizations must be able to demonstrate that they have standardized mechanisms for the security and confidentiality of all healthcare-related data. From an IT perspective, there are several general guidelines that entities must follow:

  • Ensure the confidentiality, integrity and availability of all ePHI, including the protection of patient privacy by encrypting medical records.

  • Protect against reasonably anticipated threats or hazards to the ePHI the entity creates, receives, maintains or transmits.

  • Deliver visibility, control and detailed auditing of data transfer.

  • Protect against reasonably anticipated uses or disclosures of ePHI, including preventing the loss of confidential medical records via removable devices.

  • Ensure that the organization's workforce complies with HIPAA and minimizes the threat of data being stolen for financial gain.

  • Review security measures as needed to ensure reasonable and appropriate protection of ePHI.

That means the impact of HIPAA can be felt by nearly every aspect of IT operations, including messaging, storage, virtualization and even networking, so long as electronic PHI (ePHI) records are stored within or transferred over them. In turn, IT must be able to produce evidence of the security of these systems for compliance audits.

HIPAA states that:

A person who knowingly and in violation of this part:

  • uses or causes to be used a unique health identifier;

  • obtains individually identifiable health information relating to an individual; or

  • discloses individually identifiable health information to another person,

Shall be punished as provided below:

  • be fined not more than $50,000, imprisoned not more than 1 year, or both;

  • if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and

  • if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

The ARRA makes significant changes to the federal HIPAA privacy laws, including:

  • New accounting requirements for disclosures through an electronic medical record for payment, treatment and health care operations;

  • Creating new notification requirements for breaches of privacy or security of protected patient information;

  • Refining “minimum necessary” standards;

  • Limitations on use of patient health information for marketing purposes.

  • Requiring that patients have an opportunity to opt out of fundraising communications;

  • Expanding IPAA provisions and penalties to business associates of health care providers;

  • New prohibitions on certain sales of patient health information;

  • Higher penalties for HIPAA violations;

  • Allowing persons harmed by a HIPAA violation to share in a portion of a monetary penalty or settlement; and

  • Allowing state attorney generals to enforce HIPAA. 

Unless delayed by the Secretary of HHS, the accounting requirement will begin to apply on January 1, 2014, to disclosures from an electronic health record acquired before January 1, 2009, and on January 1, 2011, to disclosures from an electronic health record acquired after January 1, 2009. Additionally, many of the HIPAA changes require HHS to promulgate new regulations or guidelines during the next 18 months to fully implement the new requirements.