Health Insurance Portability and Accountability Act (HIPAA)
In 1996 Congress passed HIPAA to improve the efficiency and effectiveness of the health care system. In response to this regulation, the U.S. Department of Health and Human Services ("DHHS") issued several new regulatory standards that apply to all covered entities. This act mandates the adoption of a number of specific guidelines. IRG has developed assessment services to aid covered entities in complying with the privacy and security regulations authorized by this act.
The "Privacy Rule"
The Privacy Rule sets standards for how protected health information (PHI) should be controlled by setting forth what uses and disclosures are authorized or required and what rights patients have with respect to their health information. The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. "Individually identifiable health information" is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe can be used to identify the individual.
For the most part, the Privacy Rule protects a subset of individually identifiable health information, known as protected health information, that is held or maintained by covered entities or their business associates acting for the covered entity.
The "Security Rule"
The security rule provides a set of standards that define administrative, physical, and technical safeguards mandated by DHHS to protect the confidentiality, integrity, and availability of electronic protected health information. The standards require covered entities to implement basic safeguards to protect electronic protected health information from unauthorized access, alteration, deletion, and transmission. These standards require measures to be taken to secure this information while in the custody of entities covered by HIPAA as well as in transit between covered entities and from covered entities to others.
Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security
Number). In an effort to standardize HIPAA security rule compliance for all covered entities, DHHS has issued 45 CFR parts 160, 162, and 164. The CFR describes a list of safeguards separated into three categories:
HIPAA - Compliance Dates have all past
All required privacy compliance steps should be met by the compliance date set forth by HHS in the final modifications to the privacy rule. The following table dictates the compliance dates from which the "privacy rule' must be implemented:
|Health Care Providers
|April 14, 2003
|Medium & Large Health Plans
(Revenue of $5,000,001 or greater )
|April 14, 2003
|Small Health Plans
(Revenue of $5,000,000 or less)
|April 14, 2006
|Health Care Clearinghouses
|April 14, 2003
In accordance with 45 CFR part 164.318, the table above enumerates all of the HIPAA compliance dates for implementing HIPAA Security and Privacy rules.
How can Info Risk Group assist you with HIPAA privacy compliance?
IRG has developed several offerings with respect to the HIPAA "privacy rule":
- Privacy Notice content, implementation, and documentation reviews
- The information security safeguards required to protect health information as established in 45 CFR 164.530.
- General privacy rule compliance and administration.
Contact IRG today for further information on how we can help your institution with HIPAA compliance.
IRG has developed several offerings with respect to the HIPAA "security rule":
- Perform "Gap Analysis" against a company's presently implemented Information Security Program.
- Develop a complete HIPAA security compliance program for your company based on:
- The size, complexity, and capabilities of the covered entity.
- The covered entity’s technical infrastructure, hardware, and software security capabilities.
- The costs of security measures.
- The probability and criticality of potential risks to electronic protected health information.
- Fill in portions of your company's HIPAA compliance program with respect to the safeguards identified in the above matrix. Often companies don't have experience in all of the safeguards required by HIPAA Security.
Contact IRG today for further information regarding HIPAA privacy and security compliance.
Offering information security and risk management services to companies throughout the Americas.