An Introduction to HIPAA, the Health Insurance Portability and Accountability Act
Which of the HIPAA regulations will have the most impact on healthcare?
What is the purpose of the HIPAA Security and Electronic Signature standards?
Why are new Security and Electronic Signature standards needed?
What is the electronic signature standard?
How will the standards to protect individual health information be implemented?
Who must comply with the Electronic Signature standard?
Do security requirements apply only to the transactions adopted under HIPAA?
Is it mandatory to use an electronic signature?
Do the Security Standards apply to paper documents?
Does the Security Standard require use of specific technologies?
How will smaller providers be affected?
What are the required timelines for achieving compliance with HIPAA regulations?
What benefits do the new HIPAA regulations provide to healthcare organizations?
What is the tentative schedule for publication of HIPAA Administrative Simplification Regulations?
Put off and delayed, some might even say ignored due to the healthcare's recent focus on Y2K, the Health Insurance Portability and Accountability Act or HIPAA, has now achieved critical status for the industry. Once U.S. policy makers begin introducing final HIPAA regulations, most healthcare organizations will have twenty-four months to comply with rules that will fundamentally affect many of the ways healthcare conducts its business.
The Health Insurance Portability and Accountability Act or HIPAA will:
Passed in 1996, HIPAA is designed to protect confidential healthcare information through improved security standards and federal privacy legislation. It defines requirements for storing patient information before, during and after electronic transmission. It also identifies compliance guidelines for critical business tasks such as risk analysis, awareness training, audit trail, disaster recovery plans and information access control and encryption.
These security standards for information access control and encryption may have the most significant impact on how the industry conducts its business.
Complying with Security Standards
There are more than sixty-eight information security conditions in three areas that must be met to ensure compliance with HIPAA. These areas are:
Cost Implications for Healthcare
Many experts in the industry estimate that the impact and cost of HIPAA and the organizational changes required for implementation will significantly dwarf the expense of preparing for Y2K. Additionally, unlike one-time Year 2000 preparations, information security will become an annual IT budgetary cost for training, evaluating, inspecting and updating security systems and policies.
Additionally, failure to achieve compliance with HIPAA could find hospital executives, physicians and others facing fines of up to $25,000. Certain criminal violations could cost individuals and organizations $250,000 and up to 10 years in jail!
Final costs for compliance will largely depend on whether an organization's current information systems are capable of accommodating the regulation's encryption and standardization requirements. HIPAA may require system replacements if they are unable to manage the new functional requirements. Rules regarding the development, verification and security of electronic signatures may prove particularly problematic for some existing systems.
At the core of the new regulations are requirements to systemize, expedite and protect the electronic transfer of healthcare information. These include:
The new standards are being developed to protect the confidentiality, integrity and availability of individual health information.
There were no existing standards that provided comprehensive and uniform protection of individual health information. HIPAA's new security standards will permit appropriate access and use of an individual's health information by health care providers, clearinghouses, and health plans while providing appropriate safeguards against misuse and dissemination. HIPAA will also mandate a new electronic signature standard for healthcare organizations when an electronic signature is employed in the transmission of a HIPAA standard transaction.
The Electronic Signature Standard will provide a reliable method of assuring message integrity, user authentication and non-repudiation.
The standards require safeguards for the physical storage
and maintenance, transmission, and access to individual health information.
Implementation will depend upon the individual organization, its
existing technology and the risks to and vulnerabilities of the information
it
must protect.
Covered entities must comply with HIPAA.
Covered entity means:
1. A health plan.
2. A health care clearinghouse.
3. A health care provider who transmits any health information in
electronic form in connection with a transaction covered by the HIPAA
transactions regulation.
(HHS Regulations Definitions 160.103)
Any healthcare provider, health care clearinghouse, or health plan that employs an electronic signature in the transmission of one of the transactions adopted under HIPAA. The electronic signature standard applies only to the transactions adopted under HIPAA.
No. The security standard applies to all individual health information that is maintained or transmitted. This is much broader than the specific transactions currently defined in the law.
No. At this time, none of the transactions adopted under HIPAA requires an electronic signature.
The most significant change from the proposed regulations is that they now extend to all individual identifiable health information in the hands of covered entities, regardless of whether the information is or has been in electronic form. This includes purely paper records and oral communications.
No. The Security Standard is "technologically neutral" in order to facilitate use of the latest and most promising technologies that meet the needs of different healthcare organizations. The security standard is a compendium of security requirements that must be satisfied. While all organizations will be required to meet the basic requirements, particular solutions will likely vary based upon organizational size and complexity.
The proposed security standard does not require extraordinary measures. It involves taking actions that assure the security of the information to be protected. The standard does not dictate specific technologies. The requirements of the standard may be implemented in a number of ways, depending upon the security needs and technologies in place at each business and upon agreements among businesses that work together.
According to HHS rules, the implementation deadline will be two years and two months after the final HIPAA regulations are released.
It is not yet certain as to how the privacy regulations will ultimately be interpreted and enforced by the Health Care Financing Administration.
We can identify three important potential benefits.
To view the most recent schedule as published by the
U.S. Department of Health and Human Services,
Standards are required to be implemented within 2 years of the effective
date of the final rule; generally 60 days after publication of the
rule. However, the effective date for the National Provider Identifier
is planned to be no earlier than 7/2000, to give the Department enough
time to develop the system for implementing the identifier.