Lesson 2 of 7

The Health Insurance Portability and Accountability Act of
1996 (Public Law 104-191), known as HIPAA, was enacted as part of a broad
Congressional attempt at progressive healthcare reform. The
“Administrative Simplification” aspect of the law requires the U.S.
Department of Health and Human Services (DHHS) to develop standards and
requirements for the maintenance and transmission of health information
pertaining to individual patients. These standards are designed to improve the
efficiency and effectiveness of the healthcare system by standardizing the
exchange of electronic data for administrative and financial transactions and
to protect the security and confidentiality of electronic health information.

All healthcare organizations that maintain or transmit
electronic health information must comply with HIPAA regulations. This includes
providers of health plans, healthcare clearinghouses, and other healthcare
providers ranging from large, integrated delivery networks to physician’s
offices. Insurance and pharmaceutical companies are also affected.

Compliance deadlines

Most entities have 24 months from the effective date of the
final rules to achieve compliance. Normally, the effective date is 60 days
after a rule is published. Here’s a list of compliance dates for specific
rules:

  • The
    Transactions Rule was published on August 17, 2000; the compliance date
    for that rule was October 16, 2003.
  • The
    Privacy Rule was published on December 28, 2000, but due to a minor glitch
    didn’t become effective until April 14, 2001. Compliance with the Privacy
    Rule was required as of April 14, 2003.
  • The
    final Security Rule was published April 21, 2003, with compliance required
    as of April 21, 2005.
  • The
    final Standard Unique Employer Identifier was published on May 31, 2002.
    Compliance was required by July 30, 2004.
  • The
    final rule establishing the National Provider Identifier (NPI) rule was
    published January 23, 2004.

Weekly tips in your inbox

For weekly information on a variety of subjects related to IT compliance, including regulations outlined by Sarbanes-Oxley, HIPAA, and e-mail, sign up for TechRepublic’s free Compliance Issues newsletter.

Automatically sign up today!

The compliance date is May 23, 2007 for most covered
entities. Healthcare providers could begin applying for NPIs as of May 23,
2005. A final standard for a Health Plan Identifier has not yet been published.

Factors to consider with HIPAA

Unlike Y2K, seen as primarily an information technology
problem, HIPAA is an issue across the enterprise. There are legal, regulatory,
process, security, and technology aspects to each proposed rule that must be
carefully evaluated before companies can begin planning and implementing. HIPAA
is a major issue in healthcare because:

  • Implementation
    time frames are short.
  • Senior
    executives are clearly responsible for the security and confidentiality of
    patient health information, yet most organizations have done little in
    this area.
  • There
    are significant criminal and civil penalties for noncompliance, as well as
    serious liability risks for unauthorized disclosure.
  • There
    is no quick fix or easy solution to meet the requirements.

For a comprehensive list of HIPAA resources, including free
downloads, see page two.

HIPAA resources

  • Download: Check
    HIPAA compliance with this Excel calculator
    Our HIPAA compliance calculator will help covered entities determine the
    status of their compliance efforts in the areas of HIPAA Privacy,
    Standardization of Code Sets, Security, National Provider Identifier, and
    Monitoring.
  • Online Seminar: HIPAA Demystified
    Join this online seminar, hosted by ISSA and sponsored by Mirapoint, to learn how healthcare organizations can build secure messaging infrastructures to effectively address HIPAA regulations.
  • HIPAA: New
    standards mean big changes to healthcare information security
    Designed to improve information transfer within the healthcare system, HIPAA
    has radically changed the way companies manage patient records. This classic,
    introductory article explains just what is expected from IT organizations
    in complying with HIPAA.
  • Don’t gamble
    with HIPAA security compliance
    The author of this article, Ramon Padilla, thinks the HIPAA security
    compliance guidelines left too many loopholes for foot-dragging IT
    departments. Read his recommendations for becoming compliant and
    documenting your efforts.
  • Congress
    calls for paperless health records
    According to politicians, the United States needs to get moving on a
    nationwide shift to paperless medical record-keeping. Get more details in
    this CNET News.com report.
  • Prepare to comply
    with HIPAA privacy standards on individually identifiable information
    Healthcare organizations must comply with HIPAA standards for the privacy
    of individually identifiable health information. Read this classic article
    to make sure you know everything that is considered individually
    identifiable.
  • Is your
    storage management process HIPAA compliant?
    The question for CIOs, IT directors, and everyone charged with securing
    the company’s network is: When the auditors come looking at your
    operation, will you be HIPAA compliant?
  • HHS
    publishes final rule for HIPAA Security Standards
    After four years and more than 2,300 public comments, the final rule for
    HIPAA Security Standards was published in the Feb. 20, 2003, Federal
    Register. The new rules took effect on April 21, 2003, with the deadline
    for compliance for most covered entities two years later on April 21,
    2005. Also published in the Feb. 20 Federal Register were several
    modifications to the EDI transaction standards used by healthcare entities
    to electronically communicate healthcare information.
  • Thin clients
    can aid in HIPAA compliance
    For CIOs working in the healthcare sector, thin client appliances are an
    excellent alternative to PCs in organizations that must comply with HIPAA
    regulations. This classic article discusses the benefits of thin client
    computing from a HIPAA standpoint.
  • HIPAA EDI Implementation Guides
    All X12N Implementation Guides adopted for use under HIPAA and their
    corresponding addenda are available in three configurations from the WPC
    On-Line Store. Check them out here.
  • Private Practices &
    Unauthorized Use or Disclosure of PHI Top OCR’s Privacy Rule Complaints
    Check out the latest HIPAA news, courtesy of Phoenix Health Systems. For
    example, as of June 30, 2005, 13,733 complaints alleging Privacy Rule
    violations have been filed with the Department of Health and Human
    Services’ (HHS) Office for Civil Rights (OCR), reports the Fort Wayne
    News-Sentinel.

White papers

  • Leveraging
    the Internet for HIPAA-Compliant Process Automation
    Administrative and financial transactions associated with healthcare
    delivery make up 20% – 25% of the overall costs. Automating these
    processes is a main focus of HIPAA legislation—an initiative which leaves
    no healthcare participant on the sidelines. Read this white paper from
    Tumbleweed Communications to learn how companies are attempting to
    automate their transactions, while ensuring privacy and security of
    Protected Health Information (PHI).
  • The
    Seven Steps to HIPAA Security Compliance
    The focus of this paper by HIPAA Academy, and sponsored by Computer Associates
    International, is on the HIPAA Security Rule. It also examines the seven
    critical steps that HIPAA Compliance and Security Officers can follow to
    assist organizations with their compliance initiatives.
  • HIPAA
    and Its Impact on IT Organizations: How Identity and Access Management Systems
    Can Play an Important Role in HIPAA Compliance
    Identity and Access Management (IAM) solutions, like those available from
    Netegrity, a division of Computer Associates International, will aid in timely
    and cost-effective implementations. This paper from Computer Associates
    explains why, if your organization is considered a covered entity under HIPAA, you
    should start to think about IAM solutions.

Vendors

Course list

  • Lesson 1:
    Sarbanes-Oxley
  • Lesson 2: HIPAA
  • Lesson
    3: Gramm-Leach-Bliley
  • Lesson
    4: FERPA
  • Lesson
    5: U.S. Patriot Act
  • Lesson
    6: European legislation
  • Lesson
    7: What’s next?

Sign up for the Compliance Regulatory Overview series

If you haven’t subscribed to this series, automatically sign up today to receive the entire Compliance Regulatory Overview series in your inbox.

We want your feedback


Lesson 2 on HIPPA was:

 Very helpful
 Somewhat helpful
 Not helpful