| The Health Insurance Portability and Accountability | | | | implementation specifications. Required |
| Act (HIPAA) has changed the healthcare | | | | specifications must be adopted and administered |
| information security landscape in the U.S. | | | | as dictated by the rule. |
| Compliance has become a critical issue for all | | | | Addressable specifications are more flexible. Yet |
| organizations that come in contact with health | | | | according to the rules for both required and |
| information. Here is a summary the HIPAA basics. | | | | addressable specifications, how organizations |
| HIPAA, also known as the Kennedy-Kassebaum | | | | satisfy individual security requirements and which |
| Act, was signed into law by the U.S. Congress in | | | | technology they choose are left to the business |
| 1996 to establish health insurance reform and | | | | decisions of each entity. |
| healthcare administrative simplification for various | | | | Healthcare organizations face fines for |
| healthcare entities including: health plans, healthcare | | | | noncompliance with HIPAA regulations. Penalties |
| clearinghouses such as billing services and | | | | include the following: general fines of up to |
| community health information systems, and | | | | $25,000 per incident, as well as up to $50,000, |
| healthcare providers that transmit healthcare data | | | | imprisonment for not more than one year, or |
| in a way that is regulated by HIPAA. | | | | both for wrongful disclosure of individually |
| Governed by HHS, HIPAA Title I supports the | | | | identifiable health information. |
| continuation of health insurance coverage for | | | | HIPAA Fines are Real |
| workers and their families when they change or | | | | In July 2008, HHS announced a formal action |
| lose their jobs. Title II defines numerous offenses | | | | against Providence Health & Services. HHS |
| relating to healthcare and healthcare-related | | | | required Providence to pay $100,000 and |
| information and sets civil and criminal penalties for | | | | implement a detailed Corrective Action Plan to |
| agencies that fail to abide by HIPAA standards. | | | | ensure that it will appropriately safeguard |
| The most significant provisions of Title II for IT | | | | identifiable electronic patient information against |
| organizations are its Administrative Simplification | | | | theft or loss. |
| rules. Per the requirements of Title II, HHS has | | | | This case emphasizes that there is a renewed |
| established five rules regarding Administrative | | | | interest in HIPAA and sends a clear message that |
| Simplification: | | | | HHS has the authority and intent to take |
| - Privacy Rule | | | | enforcement action. This has been a debate of |
| - Transactions and Code Sets Rule | | | | sorts ever since the passage of HIPAA. These |
| - Security Rule | | | | matters are frequently resolved on a consultative |
| - Unique Identifiers Rule | | | | basis with HHS Office of Civil Rights (OCR).They |
| - Enforcement Rule | | | | prefer to work with the healthcare organization to |
| Various security standards apply to each of these | | | | resolve problems. The HHS Office of Inspector |
| rules, particularly for the Security Rule, which | | | | General (OIG), however, has been critical of HHS' |
| establishes three main security objectives: | | | | lack of enforcement activity in the past. |
| Administrative Safeguards, Physical Safeguards, | | | | Providence is an example that shows HHS can |
| and Technical Safeguards. Each safeguard area | | | | and will act for HIPAA violations. |
| includes both required and addressable | | | | |