HIPAA Security Assessment
The Health Insurance Portability and Accountability Act (HIPAA), signed into law in August 1996, requires the Department of Health and Human Services (DHHS) to adopt national uniform standards for the electronic transmission of certain health information. The intent of HIPAA is "administrative simplification" and protection of patient privacy.
DHHS divides proposed security requirements into the following four groups:
Administrative procedures - documented general practices for establishing and enforcing security policies.
Physical safeguards - documented processes for protecting physical computer systems, buildings, and so on.
Technical security services - processes that protect, control, and monitor access.
Technical security mechanisms - mechanisms for protecting information and restricting access to data transmitted over a network.
Who is affected by HIPAA regulations?
HIPAA affects all health care organizations. In particular, organizations will need to focus on HIPAA compliance in the following areas:
Electronic data interchange (EDI) transactions for health plan enrollment, eligibility, claims payment, premium payment, coordination of benefits, and referral/authorization - HIPAA will mandate specific EDI transaction standards and code sets for data.
Storage and reporting of identifiers - Patient IDs, provider IDs, payer IDs, and employer IDs will be standardized under HIPAA for purposes of electronic transactions. As a result, information systems devoted to administrative, financial, and clinical applications must be able to capture, store, and report these identifiers.
Protecting confidentiality of individually identifiable patient information in an automated system - Organizations must be able to demonstrate sound practices that protect patient confidentiality and security.
Organizations and vendors in the health care industry will need to understand the elements of HIPAA and be aware of the required changes. Providers and health plans will need to review their current information systems for HIPAA compliance. Organizations should also closely review their current confidentiality and security practices. Third party reviews are required. Also, providers and health plans will need to institute policies for selection and acquisition of new information systems that require vendors to demonstrate compliance with known HIPAA requirements and a commitment to meet future requirements.