HIPAA
Health Insurance Portability and Accountability Act - HIPAA / HITECH
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 and its Security Rule establish requirements for safeguards to protect the confidentiality, integrity, and availability of electronic protected health information.
Healthcare payers, providers and others are increasingly relying on HIPAA guidelines and the HITECH Act to improve healthcare data standards, ensure greater interoperability between healthcare payers and providers, and provide consumers with extensive visibility into how their personal healthcare data is used. But while improved transparency and healthcare service quality are important goals, healthcare faces new challenges as well. As debate over healthcare technology heats up, the need to implement effective controls to protect sensitive data becomes even more critical.
HIPAA applies to virtually all healthcare organizations - including all healthcare providers, health plans, public health authorities, healthcare clearinghouses, and self-insured employers - as well as life insurers, information systems vendors, various service organizations, and universities. The Administrative Simplification section of HIPAA resulted in several rules, including the Security Rule. The final Security Rule was published on February 20, 2003, and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual. HIPAA requires covered entities to:
• Ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) the covered entity creates, receives, maintains, or transmits
• Protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI
• Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule ensure compliance by their workforce.
HIPAA calls for severe civil and criminal penalties for noncompliance, including fines of up to $25K for multiple violations of the same standard in a calendar year, and fines of up to $250K and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information.