|
|
 |
|
Health Insurance Portability and
Accountability Act (HIPAA)
In 1996 Congress passed HIPAA to improve the efficiency and
effectiveness of the health care system. In response
to this regulation, the U.S. Department of Health and Human Services
("DHHS") issued several new regulatory standards which apply to all
covered entities. This act mandates the
adoption of a number of specific guidelines. IRG has developed
assessment services to aid covered entities in complying with the privacy and security
regulations authorized by this act.
The "Privacy Rule"
The Privacy
Rule sets standards for how protected health information
(PHI) should be controlled by setting forth what uses and disclosures
are
authorized or required and what rights patients have with respect to
their health information. The Privacy Rule protects all
"individually identifiable health
information" held or transmitted by a covered entity or its business
associate, in any form or media, whether electronic, paper, or
oral. "Individually identifiable health information" is
information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental
health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of
health care to the individual, and that identifies the individual or
for which there is a reasonable basis to believe can be used to
identify the individual.
For the most part, the Privacy Rule protects a subset of
individually identifiable health information, known as protected health
information, that is held or maintained by covered entities or
their business associates acting for the covered entity.
HIPAA Privacy - Compliance Dates
All required privacy compliance steps must be met by the
compliance date set forth by HHS in the final
modifications to the privacy rule. The following table
dictates the compliance dates from
which the "privacy rule' must be implemented:
Covered Entities
|
Compliance Date
|
Health Care
Providers
|
April 14, 2003
|
Medium & Large
Health Plans
(Revenue of $5,000,001 or greater )
|
April 14, 2003
|
Small Health Plans
(Revenue of $5,000,000 or less)
|
April 14, 2006
|
Health Care
Clearinghouses
|
April 14, 2003
|
How can Information Risk Group assist you with HIPAA privacy
compliance?
IRG has developed several offerings with respect to the HIPAA
"privacy rule":
- Privacy Notice content, implementation and documentation
reviews
- The information security safeguards required to protected
health information as established in 45 CFR 164.530.
- General privacy rule compliance and administration.
Contact IRG today for further
information on how we can help your institution with HIPAA compliance.
The "Security Rule"
The security
rule provides a set of standards that define administrative,
physical, and technical
safeguards mandated by DHHS to protect the confidentiality, integrity,
and availability
of electronic protected health information. The standards require
covered entities to implement basic safeguards to protect electronic
protected health information from unauthorized access, alteration,
deletion, and transmission. These standards require measures to
be taken to secure this information
while in the custody of entities covered by HIPAA as well as in transit
between covered entities and from covered entities to others.
Individually identifiable health information includes many
common identifiers (e.g., name, address, birth date, Social Security
Number). In an effort to standardize HIPAA security rule
compliance for
all covered entities, DHHS has issued 45 CFR parts 160, 162 and 164.
The CFR describes a list of safeguards separated into three
categories:
Administrative
Safeguards
|
Physical
Safeguards
|
Technical Safeguards
|
- Security Management Process
- Assigned Security Responsibility
- Workforce Security
- Information Access Management
- Security Awareness and Training
- Security Incident Procedures
- Contingency Plan
- Business Associate Contracts and Other Arrangement.
|
- Facility Access Controls
- Workstation Use
- Workstation Security
- Device and Media Controls
|
- Access Control
- Audit Controls
- Integrity
- Person or Entity Authentication
- Transmission Security
|
HIPAA Security - Compliance Dates
All implementation specifications and standards must be met by
the
compliance date forth by DHHS in its final
security rule. According to 45 CFR part
164.318, the following table dictates the compliance dates from
which the security standards must be implemented:
Covered Entities
|
Compliance Date
|
Health Care
Providers
|
April 20, 2005
|
Medium & Large
Health Plans
(Revenue of $5,000,001 or greater )
|
April 20, 2005
|
Small Health Plans
(Revenue of $5,000,000 or less)
|
April 20, 2006
|
Health Care
Clearinghouses
|
April 20, 2005
|
How can Information Risk Group assist you with HIPAA security
compliance?
IRG has developed several offerings with respect to the HIPAA
"security rule":
- Perform "Gap Analysis" against a companies presently
implemented Information Security Program.
- Develop a complete HIPAA security compliance program for
your company based on:
- The size, complexity, and capabilities of the
covered entity.
- The covered entity’s technical infrastructure, hardware,
and software security capabilities.
- The costs of security measures.
- The probability and criticality of potential risks to
electronic protected health information.
- Fill in portions of your companies HIPAA compliance program
with respect to the safeguards identified in the above matrix.
Often companies don't have experience in all of the safeguards
required by HIPAA Security.
Contact IRG today for further information regarding HIPAA privacy and
security compliance.
Information Risk Group LLC
3220 Henderson Blvd.
Tampa, FL 33609
E-mail: inforisk@inforiskgroup.com
Information Risk Group offering information security and risk
management services to companies throughout the Americas.
|
|
