Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) sets national minimum privacy requirements for personal, protected health information (PHI). It protects the security and privacy of health data. HIPAA also encourages electronic data interchange among different electronic medical record systems.
- In 1996 August 21, the United States Congress enacted the Health Insurance Portability and Accountability Act (HIPAA). It is also known as the Kennedy-Kassebaum Act.
- The HIPAA privacy rule went into effect in 2003, implementing the privacy requirements of HIPAA.
- The HIPAA security rule went into effect in 2005, implementing the security requirements of HIPAA.
- The HIPAA enforcement rule went into effect in 2006, specifying sanctions for violations of HIPAA privacy and security rules.
- The American Recovery and Reinvestment Act (ARRA), signed by President Obama on February 17, 2009, included Title XIII – the Health Information Technology for Economic and Clinical Health (HITECH) Act, which includes several amendments to HIPAA.
- As of this date, 11/24/2012, the HITECH-HIPAA Omnibus Rule is pending OMB final review (HHS sent the Rule to OMB 3/24/2012) and will include the final rules for:
- Breach notification (interim rule in effect since 8/2009)
- Enforcement (interim rule in effect since 10/2009)
- Privacy and Security (Notice of Proposed Rulemaking released 7/2010)
- Genetic Information Nondiscrimination Act (NPRM released 10/2009)
Purpose of HIPAA
The purpose of HIPAA is to improve the efficiency, effectiveness, and security of the national health system.
- Increase efficiency: paper work is reduced for healthcare providers due to an electronic system.
- Reduce fraud and abuse: digital paper trail makes fraud prosecution easier.
- Portability: an employee is guaranteed health insurance coverage, even when he changes jobs.
- Security: increased security for patient health information and protect patient rights.
- Accountability: protecting health data integrity, confidentiality and availability.
Security refers to the ability to control access and protect information from disclosure to unauthorized persons.
To comply with the security standards, an electronic medical record (EMR) must have written, comprehensive security policies, access controls, control over the physical environment, clearance procedures, and a record of all access authorizations.
Risk Assessment – Technical Safeguards
One of the lessons learned coming out of The Office for Civil Rights (OCR) HIPAA Audit Program is that we must understand where ePHI is and what our team members and business partners are doing with it. Operational practices and controls must safeguard every record, all the time. Audit controls must be designed and documented to account for ePHI and what activities around that ePHI need to be monitored, internally and with our business associates. Assessment validation of control continuance within those frameworks will become critical with Meaningful Use attestation and stage two requirements.
Access Control (164.312 (a)(1)) HIPAA Standard: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4) (note: this standard supports the Information Access Management Administrative Standard and Facility Access Controls Physical Standard)
Unique User Identification
Security users must have a unique and auditable identification number or credential that details when they access ePHI and the activity they perform on the information. 
Emergency Access Procedure
Covered entities must establish users who can access ePHI during an emergency.
Implement electronic procedures that terminate an electron session after a predetermined time of inactivity.
Encryption and Decryption
This implementation specification ensures that confidentially of ePHI primarily focusing on data at rest. Covered entities must decide how and when to use encryption and decryption.
Audit Controls (164.312 (b)) HIPAA Standard: Implement hardware, software, and/or procedural mechanisms that record and examine activity information system that contain or use electronic protected health information to help ensure that systems have not been harmed by hackers, insiders, or technical problems.
Integrity Controls (164.312 (c)(1)) Mechanism to Authenticate ePHI HIPAA Standard: Implement policies and procedures to protected electronic protected health information from improper alteration or destruction.
Person or Entity Authentication (164.312 (d)) HIPAA Standard: Implement procedures to verity that a person or entity seeking access to electronic protected health information is the one claimed.
Transmission Security (164.312 (e)(1)) HIPAA Standard: Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communication network. Integrity Controls Covered entities must implement controls to protect against message tampering during ePHI communications. These controls ensue that the received message is the same message that was sent. Encryption Covered entities must implement encryption controls where appropriate to protect ePHI.
The HITECH Act amends HIPAA so that covered entities and business associates are required to notify individuals when their unsecured PHI is disclosed in a manner inconsistent with HIPAA privacy regulations. Such disclosure is known as a breach. Covered entities must have policies and procedures in place regarding breach notification, training of employees on these, and sanctions for violations of the same. Covered entities with a breach affecting 500 or more individuals will have their breach information posted on the HHS “wall of shame” web site: http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html.
The HITECH Act specifies the following breach notification requirements :
- Individual Notice – Affected individuals must be notified within 60 days of a discovery of a breach of unsecured PHI. The notification must include a description of the breach, a description of the types of information that were involved in the breach, the steps affected individuals should take to protect themselves from potential harm, a brief description of what the covered entity is doing to investigate the breach, mitigate the harm, and prevent further breaches, as well as contact information for the covered entity.
- Media Notice – A breach affecting more than 500 residents of a State or jurisdiction must notify prominent media outlets serving the State or jurisdiction within 60 days of discovery of the breach.
- Notice to the Secretary – Covered entities must notify the Secretary of Health & Human Services of all breaches of unsecured PHI by submitting an electronic form on the HHS web site: http://ocrnotifications.hhs.gov/. If the breach affects 500 or more individuals such notice must be given within 60 days. If fewer than 500 individuals are affected, the notice may be given on an annual basis.
- Notification by a Business Associate - If a vendor discovers a breach of unsecured PHI, it must notify the client within 60 days and provide information to the client for facilitate its ability to notify affected individuals
The Privacy Rule
The Privacy Rule defines the minimum Federal standards for protection of patient data by a covered entity for research and other purposes. It specifies who is a Covered Entity, what protected health information (PHI) is, and the conditions under which PHI can be distributed.
In general, there are three ways that PHI can be distributed by a Covered Entity under the Privacy Rule. The first is by the creation of De-Identified Patient Data. This process theoretically removes all individually identifying information from the patient record, allowing the data to be used to research or financial gain without the ability to link to the information back to a particular person. In reality, this has not been completely successful.
The second method is to get written permission from the patient to release their PHI.
Lastly, an Institutional Review Board (IRB) can also allow for use of Protected Health Information (PHI) in specific situations for certain types of research.
Implications to Clinical Information Systems
- Personal Health Records (PHRs). See PHRs and HIPAA
The 2009 HITECH Act, HIPAA provisions, will impact CIS in a number of ways, including:
- Health Information Exchanges, vendors that offer a PHR as part of an EHR, and other organizations that transmit PHI to a covered entity or its business associate must enter into a business associate agreement with the covered entity and will now be held accountable to much of the HIPAA privacy and security provisions.
- Vendors of CIS will need to sign business associates agreements with their clients
- Vendors of CIS are now accountable for directly adhering to the privacy and security provisions of HIPAA
- Vendors of CIS are subject to civil and criminal penalties for HIPAA violations
- If a vendor discovers a breach of unsecured PHI, it must notify the client within 60 days and provide information to the client for facilitate its ability to notify affected individuals
- Vendors of personal health records are required to abide by the same breach notification rules as covered entities and business associates
- Individuals are entitled to receive an accounting for disclosures of PHI maintained in an EHR for a three year period prior to the date of the request. Under HITECH routine disclosures related to treatment, payment, and health care operations are no longer excluded. Therefore CIS will need to include a mechanism to track such disclosures to facilitate the covered entity’s ability to provide the information when requested
- Individuals may request access to PHI, and transmission of PHI, in an electronic format if PHI is maintained in an EHR. Vendors will need to ensure this capability exists
- Vendors will need to ensure that EHRs include mechanisms to securely de-identify patient information to facilitate sharing of data for public health and research purposes.
- Vendors of cloud-based EHR face particular challenges to achieve regulatory compliance (article review)
- Handhelds and HIPAA: Does instant access and availabilityfrom mobile technology jeopardize patient privacy
- Avoiding fraud risks associated with EHRs
- Data Privacy Lab: Identifiability Project http://dataprivacylab.org/projects/identifiability/index.html
- National Institute of Standards and Technology (NIST) Risk Management Guide for Information Technology Systems # http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
- NIST Guide for Implementing Health Insurance Portability and Accountability Act # http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf
- 45 CFR Part 160 and 164 # http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html