The Health Insurance Portability and Accountability Act of 1996
Overview
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets industry-wide standards for the privacy and security of protected health information (PHI). Among other things, HIPAA was established to reduce administrative burdens and costs in health care by standardizing electronic transmission of administrative and financial transactions. HIPAA was amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 to strengthen privacy and security safeguards, which include extending liability to business associates and their subcontractors. Updated requirements are detailed in the final HIPAA Omnibus Rule that went into effect on September 23, 2013.
Key Components and Rules
HIPAA consists of three main components, or compliance areas, that center on policies and procedures, record keeping, technology, and building safety. These include:
1) Administrative – safeguards to ensure patient health information is correct and accessible to authorized parties
2) Physical – safeguards to prevent physical theft or lost devices containing electronic PHI
3) Technical – safeguards to protect networks and devices from unauthorized access and data breaches
Assessing organizational strategy to achieve HIPAA compliance requires understanding six specific rules: 1) privacy; 2) security; 3) transactions and code sets; 4) unique identifiers; 5) enforcement; and 6) breach notification. For more information on each of these rules, visit the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) website here.
Resources
Health care organizations should periodically refer to the Regulations and Guidance webpage of the Centers for Medicare & Medicaid Services (CMS) for more information and resources. The HHS OCR website also provides updated information on guidance and FAQs.
The following HIPAA resources might also be of interest:
The Administrative Simplification Enforcement and Testing Tool (ASSETT)
A CMS web-based application that allows an individual or organization to file a complaint against a HIPAA covered entity for potential non-compliance with non-privacy and security provisions of HIPAA and test HIPAA transactions.
Key HITECH Changes to HIPAA (2018)
Title XIII, Division A of the American Recovery and Reinvestment Act of 2009 (ARRA) comprises the provision of the HITECH Act. These provisions created new requirements under HIPAA, particularly regarding strengthening privacy and security of PHI and increasing the penalties for violations of HIPAA. This flyer provides a chart that summarizes key modifications to HIPAA made by HITECH.
State versus Federal Comparison: HIPAA Privacy Statute & Regulation (2003)
This document compares the similarities and differences in regulations addressing privacy of health care information between the Maryland Confidentiality of Medical Records Act (MCRMA) and HIPAA.
For additional information and resources, visit the MHCC cybersecurity webpage.