Health Insurance Portability & Accountability Act (HIPAA)

Healthcare organization can easily communicate with other healthcare providers, doctors, insurance companies and patients electronically sharing patient diagnosis, insurance reports. However, with all the advantages of electronic communication healthcare organizations must be even more stringent in their information distribution standards. Under the Health Insurance Portability and Accountability Act (HIPAA), a new federal privacy standard for healthcare information, organizations can be faced with specific criminal and civil penalties if a patient's right to privacy is violated - including disclosures made in error.

A recent survey revealed that one-fifth of Americans believes their personal health information has been used inappropriately. In order to continue to serve patients, healthcare organizations must enact stricter security and privacy policies.

What is HIPAA?

The primary purpose of the Health Insurance Portability and Accountability Act was to enable employees and families to transfer healthcare benefits from one employer to another. A secondary goal of HIPAA is to standardize the electronic transmission of administrative and financial transactions in healthcare organizations. Because of the confidential nature of this data, HIPAA requires organizations to ensure the security and safety of all individually-identifiable healthcare information. These security standards are applied to all healthcare information whether used only internally within an organization or used for transfer between healthcare organizations.

Who is affected by HIPAA?

HIPAA requires all health plans (e.g.: health insurance companies, HMOs, Medicare and Medicaid), all health care clearinghouses (e.g.: entities who translate and interpret billing information) and those health care providers electronically transmitting certain health transactions (e.g. claims, eligibility, referrals, claims status), to comply with its administrative rules and regulations. HIPAA also extends certain responsibilities for maintaining the privacy and security of health information to vendors who perform services on behalf of health plans, health care providers and health care clearinghouses through arrangements called business associate agreements.

How will HIPAA regulations be enforced?

The standards and proposed rules outline both civil and criminal punishments, depending on intent. The Centers for Medicare and Medicaid Services are responsible for civil punishment of HIPAA violations. The Department of Justice will be responsible for criminal punishment. However, HIPAA compliance can be expected to be an ongoing portion of accreditation audits.

What could happen if my organization doesn't comply?

Your company and company executives could be faced with civil, monetary and criminal penalties including but not limited to fines up to $250,000 and imprisonment of not more than 10 years.

What types of security controls are needed to comply with HIPAA?

The secure technologies needed to comply include: access control, authentication, encryption, policy management and electronic archival and auditing. These types of security methods are already used by many industries including the financial services industry.

In order to comply, healthcare providers will have to limit employee access to patient data based on their position within the organization, data will need to be stored in an encrypted form while in storage and in transit. Healthcare organizations will need to archive copies of all data and correspondence.

I already have a firewall is additional security technology needed?

Yes. Firewalls and other traditional security measures only protect information while it resides on the network. Healthcare organizations are required to also maintain the security of the data while it is in transit to other organizations. All healthcare information must be protected whether in storage or being sent to the patient or another healthcare organization or insurance company.

In addition, you need to have archiving guidelines and other security measures in place to be in compliance with HIPAA.

What security products help with HIPAA compliance?

Healthcare organizations have to be vigilant about the integrity and security of personal healthcare data. Products by Check Point Technologies, Network Intelligence, RSA Security and eEye have been developed to help with the government mandates set by HIPAA.