The HIPAA Privacy Rule covers all identifiable information or personal health information (PHI) about a patient that is transferred to or maintained by a healthcare provider, including email, electronic, fax, paper, oral, and voice mail records, as well as phone conversations. HIPAA rules protect the information itself, not the record in which the information appears. In other words, information does not lose its protection simply because it is stored in or printed from a computer. Even at this late date, much confusion exists in all industries regarding compliance requirements, who must comply, and who need not worry about compliance. Most healthcare organizations must comply with HIPAA's Privacy Rule by April 14, 2003, but many other organizations, including a large number of employers, also will be affected by this rule. In fact, HIPAA's Privacy Rule will impact, at least indirectly, all organizations in some way.
HIPAA stands for the Health Insurance Portability and Accountability Act, an act that was enabled in 1996. In fact, portability is exactly what HIPAA is all about. HIPAA is the way that you and your family can have a continuity of health insurance even through job changes and perhaps even unemployment. Just as employees are portable, so should be health insurance, thanks to HIPAA.
A few decades ago, people stayed in one or two jobs throughout a whole career. In those days people had no need for HIPAA, because their jobs were stable. But today, in a time when jobs and even careers are constantly changing, HIPAA can make a big difference in your personal welfare, or even the welfare of your family.
If you really want to understand HIPAA, you have to understand what HIPAA is not. HIPAA is not a guarantee that you will have health insurance, or that you will keep health insurance after a job change. But HIPAA provisions may help you keep insurance during transitions, and they may help you get other insurance if you lose the insurance coverage that was provided by a previous employer.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a law that charges the Department of Health and Human Services to establish regulations for the handling of certain types of health information (HI), collectively known as “protected health information.”
HIPAA itself does not establish the regulations, but provides the framework for regulations (generally known as “rules”) in four areas: transactions and code sets, identifiers, privacy, and security.
Privacy is best defined as “informational self-determination.” HIPAA's Privacy Rule helps to support large-scale privacy by providing policy guidelines, basically spelling out who may share what with whom. The Privacy Rule goes a step further, actually providing additional requirements that deal with the risk of accidental exposure. Thus, operational procedures are also impacted.
Security, when defined broadly as the “enforcement of policy,” is achieved through both operational requirements and technical requirements of systems that deal with protected HI. To this end, HIPAA helps covered organizations to achieve security by providing a clear standard as to what minimum protection must be offered. The benefit that this provides is uniform protection of HI, and helps covered organizations to understand just where they are expected to draw the lines between functionality and security. Information security is one of the goals of HIPAA. Through its Rules, clear and consistent standards have been established that will help covered entities to understand:
UC is building an information assurance program that not only adheres to the letter of each of the rules, but supports the spirit and higher-order goals of HIPAA. This will not only help avoid regulatory compliance problems, but supporting the security of health information will also help the U.S. health care system to be worthy of its patients' trust.
HIPAA has two goals:
Compliance, compliance, compliance. For most healthcare constituencies, administrative simplification is the real crux of HIPAA. Administrative simplification seeks to improve healthcare by standardizing such data as identification numbers and administrative/ financial data transactions while protecting the security and privacy of the transmitted information. Compliance, which is mandatory, will engender profound changes in procedures and the implementation of systems to support them. Noncompliance can be extremely expensive, not only because of actual penalties, but also because noncompliant organizations will lose business if they're unable to communicate with compliant organizations.
The purpose of this Security Standards rule is to adopt national standards for safeguards to protect the confidentiality, integrity, and availability of electronic protected health information. They were needed because there were no standard measures existing in the health care industry that addressed all aspects of the security of electronic protected health information while it is in use, in storage, or during the exchange of that information between entities. HIPAA mandated security standards to protect an individual's health information, while permitting the appropriate access and use of that information by health care providers, clearinghouses, and health plans.
No. The security standards were designed to be "technology neutral" in order to facilitate use of the latest and most promising technologies that meet the needs of different healthcare organizations. Any regulatory requirement for implementation of specific technologies would bind the health care community to specific systems and/or software that may be superseded by rapidly developing technologies and improvements.