Health Information Technology   HIPAA  

The Health Insurance Portability and Accountability Act of 1996

Overview    

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sets industry-wide standards for the privacy and security of protected health information (PHI).  Among other things, HIPAA was established to reduce administrative burdens and costs in health care by standardizing electronic transmission of administrative and financial transactions.  HIPAA was amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 to strengthen privacy and security safeguards, which include extending liability to business associates and their subcontractors.  Updated requirements are detailed in the final HIPAA Omnibus Rule that went into effect on September 23, 2013. 

Key Components and Rules

HIPAA consists of three main components, or compliance areas, that center on policies and procedures, record keeping, technology, and building safety.  These include:  

1) Administrative – safeguards to ensure patient health information is correct and accessible to authorized parties
2) Physical – safeguards to prevent physical theft or lost devices containing electronic PHI
3) Technical – safeguards to protect networks and devices from unauthorized access and data breaches 

Assessing organizational strategy to achieve HIPAA compliance requires understanding six specific rules:  1) privacy; 2) security; 3) transactions and code sets; 4) unique identifiers; 5) enforcement; and 6) breach notification.  For more information on each of these rules, visit the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) website here.  
 

Resources

Health care organizations should periodically refer to the Regulations and Guidance webpage of the Centers for Medicare & Medicaid Services (CMS) for more information and resources.  The HHS OCR website also provides updated information on guidance and FAQs.


The following HIPAA resources might also be of interest:
 

The Administrative Simplification Enforcement and Testing Tool (ASSETT)

A CMS web-based application that allows an individual or organization to file a complaint against a HIPAA covered entity for potential non-compliance with non-privacy and security provisions of HIPAA and test HIPAA transactions. 

Key HITECH Changes to HIPAA (2012)

Summaries of key modifications to HIPAA by HITECH.

The American Recovery and Reinvestment Act of 2009 Updates to HIPAA Flyer (2011)

The American Recovery and Reinvestment Act of 2009 (ARRA) signed into law on February 17, 2009 by President Barack Obama,   is an economic stimulus bill.  This flyer lists the key privacy and security changes to HIPAA as a result of ARRA.

Health Care Data Breaches:  How Maryland Compares (2017)

The MHCC analyzed health care breaches reported to  HHS OCR from 2013 through 2016.  This report presents Maryland's ranking in relation to other states and provides a detailed evaluation of records compromised and location of breached information.  

Health Care Data Breaches:  A Changing Landscape (2017)

The MHCC analyzed health care breaches reported to the HHS OCR from 2010 through 2016.  This information brief discusses the increasing prevalence of health care breaches, and includes recommendations on enhancing security processes to prepare for and mitigate the effects of new and evolving cyber threats.

HIPAA Omnibus Rule Brief (2014)

This document summarizes the Omnibus Rule that modifies certain HIPAA provisions including the impact on business associates and their subcontractors.

State versus Federal Comparison:  HIPAA Privacy Statute & Regulation (2003)

This document compares the similarities and differences in regulations addressing privacy of health care information between the Maryland Confidentiality of Medical Records Act (MCRMA) and HIPAA.

For additional information and resources, visit the MHCC cybersecurity webpage.


Last Updated: 5/1/2018