Health Insurance Portability and Accountability Act (HIPAA)

From Clinfowiki
Revision as of 13:50, 4 June 2012 by Jhofmanh (Talk | contribs)

Jump to: navigation, search

The Health Insurance Portability and Accountability Act (HIPAA) sets national minimum privacy requirements for personal, protected health information (PHI). It protects the security and privacy of health data. HIPAA also encourages electronic data interchange among different electronic medical record systems.

History

In 1996 August 21, the United States Congress enacted the Health Insurance Portability and Accountability Act (HIPAA). It is also known as the Kennedy-Kassebaum Act.

Purpose of HIPAA

The purpose of HIPAA is to improve the efficiency, effectiveness, and security of the national health system.

  • Increase efficiency: paper work is reduced for healthcare providers due to an electronic system.
  • Reduce fraud and abuse: digital paper trail makes fraud prosecution easier.
  • Portability: an employee is guaranteed health insurance coverage, even when he changes jobs.
  • Security: increased security for patient health information and protect patient rights.
  • Accountability: protecting health data integrity, confidentiality and availability.

Security standards

Security refers to the ability to control access and protect information from disclosure to unauthorized persons.

To comply with the security standards, an electronic medical record (EMR) must have written, comprehensive security policies, access controls, control over the physical environment, clearance procedures, and a record of all access authorizations.

Risk Assessment – Technical Safeguards

Background: One of the lessons learned coming out of The Office for Civil Rights (OCR) HIPAA Audit Program is that we must understand where ePHI is and what our team members and business partners are doing with it. Operational practices and controls must safeguard every record, all the time. Audit controls must be designed and documented to account for ePHI and what activities around that ePHI need to be monitored, internally and with our business associates. Assessment validation of control continuance within those frameworks will become critical with Meaningful Use attestation and stage two requirements.

Access Control (164.312 (a)(1)) HIPAA Standard: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4) (note: this standard supports the Information Access Management Administrative Standard and Facility Access Controls Physical Standard)

Unique User Identification Security users must have a unique and auditable identification number or credential that details when they access ePHI and the activity they perform on the information.

Emergency Access Procedure Covered entities must establish users who can access ePHI during an emergency.

Automatic Logoff Implement electronic procedures that terminate an electron session after a predetermined time of inactivity.

Encryption and Decryption This implementation specification ensures that confidentially of ePHI primarily focusing on data at rest. Covered entities must decide how and when to use encryption and decryption.

Audit Controls (164.312 (b)) HIPAA Standard: Implement hardware, software, and/or procedural mechanisms that record and examine activity information system that contain or use electronic protected health information to help ensure that systems have not been harmed by hackers, insiders, or technical problems.

Integrity Controls (164.312 (c)(1)) Mechanism to Authenticate ePHI HIPAA Standard: Implement policies and procedures to protected electronic protected health information from improper alteration or destruction.

Person or Entity Authentication (164.312 (d)) HIPAA Standard: Implement procedures to verity that a person or entity seeking access to electronic protected health information is the one claimed.

Transmission Security (164.312 (e)(1)) HIPAA Standard: Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communication network. Integrity Controls Covered entities must implement controls to protect against message tampering during ePHI communications. These controls ensue that the received message is the same message that was sent. Encryption Covered entities must implement encryption controls where appropriate to protect ePHI.

The Privacy Rule

The Privacy Rule defines the minimum Federal standards for protection of patient data by a covered entity for research and other purposes. It specifies who is a Covered Entity, what protected health information (PHI) is, and the conditions under which PHI can be distributed.

In general, there are three ways that PHI can be distributed by a Covered Entity under the Privacy Rule. The first is by the creation of De-Identified Patient Data. This process theoretically removes all individually identifying information from the patient record, allowing the data to be used to research or financial gain without the ability to link to the information back to a particular person. In reality, this has not been completely successful.

The second method is to get written permission from the patient to release their PHI.

[1]

Lastly, an Institutional Review Board (IRB) can also allow for use of Protected Health Information (PHI) in specific situations for certain types of research.

Implications to Clinical Information Systems

References

  1. http://dataprivacylab.org/projects/identifiability/index.html
  2. http://privacyruleandresearch.nih.gov/pdf/HIPAA_Privacy_Rule_Booklet.pdf