Health Insurance Portability and Accountability Act (HIPAA)

HIPAA: A Brief Summary 

The HIPAA Privacy Rule covers all identifiable information or personal health information (PHI) about a patient that is transferred to or maintained by a healthcare provider, including email, electronic, fax, paper, oral, and voice mail records, as well as phone conversations. HIPAA rules protect the information itself, not the record in which the information appears. In other words, information does not lose its protection simply because it is stored in or printed from a computer. Even at this late date, much confusion exists in all industries regarding compliance requirements, who must comply, and who need not worry about compliance. Most healthcare organizations must comply with HIPAA's Privacy Rule by April 14, 2003, but many other organizations, including a large number of employers, also will be affected by this rule. In fact, HIPAA's Privacy Rule will impact, at least indirectly, all organizations in some way.

An Introduction to HIPAA Security 

HIPAA stands for the Health Insurance Portability and Accountability Act, an act that was enabled in 1996. In fact, portability is exactly what HIPAA is all about. HIPAA is the way that you and your family can have a continuity of health insurance even through job changes and perhaps even unemployment. Just as employees are portable, so should be health insurance, thanks to HIPAA.

A few decades ago, people stayed in one or two jobs throughout a whole career. In those days people had no need for HIPAA, because their jobs were stable. But today, in a time when jobs and even careers are constantly changing, HIPAA can make a big difference in your personal welfare, or even the welfare of your family.

If you really want to understand HIPAA, you have to understand what HIPAA is not. HIPAA is not a guarantee that you will have health insurance, or that you will keep health insurance after a job change. But HIPAA provisions may help you keep insurance during transitions, and they may help you get other insurance if you lose the insurance coverage that was provided by a previous employer.

How does Information Security relate to HIPAA? 

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a law that charges the Department of Health and Human Services to establish regulations for the handling of certain types of health information (HI), collectively known as “protected health information.”

HIPAA itself does not establish the regulations, but provides the framework for regulations (generally known as “rules”) in four areas: transactions and code sets, identifiers, privacy, and security.

  • Transactions and code sets - Deals with the correct and complete transfer of information between health care entities. The idea is that electronic data interchange (EDI) will be made easier by having industry-wide standards for interchange codesets. Rather than needing to negotiate data interchange code sets each time that two entities establish a relationship, the entities can simply refer to a particular HIPAA transaction code set.
  • Identifiers - Is the specification for uniquely identifying entities in the health care system. Health care providers, clearing houses, and insurers are all given unique identifiers within the U.S. health care system to ease the identification of those entities.
  • Privacy - Is the rule that provides guidelines intended to protect the confidentiality of health information. Standards for identification and authentication of people and organizations requesting HI are enumerated in this rule.
  • Security - Is the rule that deals largely with the technical measures used to enforce the organization's information-handling policy. Certain provisions of the Privacy Rule will require implementation of the Security Rule for enforcement.

For UC, the Privacy and Security Rules are most important 

Privacy is best defined as “informational self-determination.” HIPAA's Privacy Rule helps to support large-scale privacy by providing policy guidelines, basically spelling out who may share what with whom. The Privacy Rule goes a step further, actually providing additional requirements that deal with the risk of accidental exposure. Thus, operational procedures are also impacted.
Security, when defined broadly as the “enforcement of policy,” is achieved through both operational requirements and technical requirements of systems that deal with protected HI. To this end, HIPAA helps covered organizations to achieve security by providing a clear standard as to what minimum protection must be offered. The benefit that this provides is uniform protection of HI, and helps covered organizations to understand just where they are expected to draw the lines between functionality and security. Information security is one of the goals of HIPAA. Through its Rules, clear and consistent standards have been established that will help covered entities to understand:

  • Which kinds of information are critical (through the definition of protected health information);
  • How to support confidentiality of information (through the policy framework articulated in the Privacy Rule);
  • How to support integrity (through the interchange standards in the Transactions and Code Sets Rule, uniquely-identified entities in the Identifiers Rule, and the technical data integrity standards established in the Security Rule);
  • How to support availability (through provisions in the Security and Privacy Rules).

UC is building an information assurance program that not only adheres to the letter of each of the rules, but supports the spirit and higher-order goals of HIPAA. This will not only help avoid regulatory compliance problems, but supporting the security of health information will also help the U.S. health care system to be worthy of its patients' trust.

What does HIPAA really mean, in layman's terms? 

HIPAA has two goals:

  • To make healthcare insurance more accessible by making it "portable". Primarily this means restricting, and in some cases, eliminating the practice of excluding people from coverage because of pre-existing conditions.
  • To make healthcare more accountable in terms of cost. How? By reducing fraud and increasing efficiency and effectiveness through administrative simplification.

What are the implications for me? 

Compliance, compliance, compliance. For most healthcare constituencies, administrative simplification is the real crux of HIPAA. Administrative simplification seeks to improve healthcare by standardizing such data as identification numbers and administrative/ financial data transactions while protecting the security and privacy of the transmitted information. Compliance, which is mandatory, will engender profound changes in procedures and the implementation of systems to support them. Noncompliance can be extremely expensive, not only because of actual penalties, but also because non-compliant organizations will lose business if they're unable to communicate with compliant organizations.

What is the purpose of the HIPAA Security Standards rule? 

The purpose of this Security Standards rule is to adopt national standards for safeguards to protect the confidentiality, integrity, and availability of electronic protected health information. They were needed because there were no standard measures existing in the health care industry that addressed all aspects of the security of electronic protected health information while it is in use, in storage, or during the exchange of that information between entities. HIPAA mandated security standards to protect an individual's health information, while permitting the appropriate access and use of that information by health care providers, clearinghouses, and health plans.

Do the Security Standards require use of specific technologies? 

No. The security standards were designed to be "technology neutral" in order to facilitate use of the latest and most promising technologies that meet the needs of different healthcare organizations. Any regulatory requirement for implementation of specific technologies would bind the health care community to specific systems and/or software that may be superseded by rapidly developing technologies and improvements.

  • University of Cincinnati UCIT Office of Information Security
  • University Hall
  • 51 Goodman Drive
  • Cincinnati, OH 45221