Health Insurance Portability and Accountability Act Compliance

HIPAA is a required compliance by all healthcare-related organizations, or anyone that processes, transmits, or stores personal heath information (PHI). In essence, it is vulnerability management. In this article, I will look to briefly describe HIPAA and it’s close relative, the HITECH Act, and some concerns.

By definition, the Health Insurance Portability and Accountability Act of 1996 (HIPAA; Pub.L. 104-191, 110 Stat. 1936, enacted August 21, 1996) was enacted by the United States Congress and signed by President Bill Clinton in 1996. It was originally sponsored by Sen. Edward Kennedy (D-Mass.) and Sen. Nancy Kassebaum (R-Kan.). Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. ~Wikipedia

As you can see, it is Title II that is most concerning to healthcare-related companies. The Department of Health and Human Services mandates standards-based security implementations of all healthcare organizations.

Though the type of technology utilized by companies is not mandated by HIPAA, there is a strict list of principles which must be adopted and followed. One of the principles is security technology auditing, that is detailed in Final Rule 45 CFR Part 164.308. This principle mandates administrative safeguards, assurance requirements, appropriate training, security management, and incident recording and handling procedures.

What is The HITECH Act?

HITECH, short for Health Information Technology for Economic and Clinical Health Act, is part of the American Recovery and Reinvestment Act of 2009 (ARRA). ARRA contains incentives related to health care information technology in general, and specific incentives as it relates to electronic health record (EHR) systems among healthcare organizations.

Even though many feel these ACT’s were truly designed to allow seamless sharing of medical information between healthcare organizations and third-parties, they do provide for stiff penalties of willful neglect.

What Should Be Addressed?

There are two key areas your organization should address, in addition to adhering to a number of requirements. You should make certain you select and deploy security measures and technology that will allow you to meet HIPAA and the HITECH Act requirements. Second, design a plan for auditing your controls, and today, that may include utilizing the services of a third-party vulnerability management company.

HIPAA Responsibilities

Here is a overview of the HIPAA responsibilities:

Security Management Process: Design and implement an appropriate policy to predict, detect, prevent, isolate, contain, and handle security violations.

Evaluation: As mentioned above, put in place a method for auditing your processes.

Risk Analysis: In addition to handling issues afterwards, or updating your controls simply by violations, it is your responsibility to conduct regular risk assesments, based on predictable’s.

Risk Management: Implement security measures to reduce the occurrence of violations.

Security Incident Procedures: Implement a plan to address security incidents, response and reporting.

Associate Contracts: Have written contracts with all third-party organizations and handlers of PHI.

For a complete understanding and compliance of all responsibilities, please reference Health Information Privacy, and the HIPAA Survival Guide.