Compliance Regulatory Overview: HIPAA

by Guest Contributor in CXO on August 30, 2005, 9:12 AM PST

In this lesson, we will explore the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), known as HIPAA: who it affects, what not complying could mean to your organization, and best practices for complying with the act.

Lesson 2 of 7

The Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), known as HIPAA, was enacted as part of a broad Congressional attempt at progressive healthcare reform. The "Administrative Simplification" aspect of the law requires the U.S. Department of Health and Human Services (DHHS) to develop standards and requirements for the maintenance and transmission of health information pertaining to individual patients. These standards are designed to improve the efficiency and effectiveness of the healthcare system by standardizing the exchange of electronic data for administrative and financial transactions and to protect the security and confidentiality of electronic health information.

All healthcare organizations that maintain or transmit electronic health information must comply with HIPAA regulations. This includes providers of health plans, healthcare clearinghouses, and other healthcare providers ranging from large, integrated delivery networks to physician's offices. Insurance and pharmaceutical companies are also affected.

Compliance deadlines

Most entities have 24 months from the effective date of the final rules to achieve compliance. Normally, the effective date is 60 days after a rule is published. Here's a list of compliance dates for specific rules:

The Transactions Rule was published on August 17, 2000; the compliance date for that rule was October 16, 2003.
The Privacy Rule was published on December 28, 2000, but due to a minor glitch didn't become effective until April 14, 2001. Compliance with the Privacy Rule was required as of April 14, 2003.
The final Security Rule was published April 21, 2003, with compliance required as of April 21, 2005.
The final Standard Unique Employer Identifier was published on May 31, 2002. Compliance was required by July 30, 2004.
The final rule establishing the National Provider Identifier (NPI) rule was published January 23, 2004.

Weekly tips in your inbox

For weekly information on a variety of subjects related to IT compliance, including regulations outlined by Sarbanes-Oxley, HIPAA, and e-mail, sign up for TechRepublic's free Compliance Issues newsletter.

Automatically sign up today!

The compliance date is May 23, 2007 for most covered entities. Healthcare providers could begin applying for NPIs as of May 23, 2005. A final standard for a Health Plan Identifier has not yet been published.

Factors to consider with HIPAA

Unlike Y2K, seen as primarily an information technology problem, HIPAA is an issue across the enterprise. There are legal, regulatory, process, security, and technology aspects to each proposed rule that must be carefully evaluated before companies can begin planning and implementing. HIPAA is a major issue in healthcare because:

Implementation time frames are short.
Senior executives are clearly responsible for the security and confidentiality of patient health information, yet most organizations have done little in this area.
There are significant criminal and civil penalties for noncompliance, as well as serious liability risks for unauthorized disclosure.
There is no quick fix or easy solution to meet the requirements.

For a comprehensive list of HIPAA resources, including free downloads, see page two.

HIPAA resources

Download: Check HIPAA compliance with this Excel calculator
Our HIPAA compliance calculator will help covered entities determine the status of their compliance efforts in the areas of HIPAA Privacy, Standardization of Code Sets, Security, National Provider Identifier, and Monitoring.
Online Seminar: HIPAA Demystified
Join this online seminar, hosted by ISSA and sponsored by Mirapoint, to learn how healthcare organizations can build secure messaging infrastructures to effectively address HIPAA regulations.
HIPAA: New standards mean big changes to healthcare information security
Designed to improve information transfer within the healthcare system, HIPAA has radically changed the way companies manage patient records. This classic, introductory article explains just what is expected from IT organizations in complying with HIPAA.
Don't gamble with HIPAA security compliance
The author of this article, Ramon Padilla, thinks the HIPAA security compliance guidelines left too many loopholes for foot-dragging IT departments. Read his recommendations for becoming compliant and documenting your efforts.
Congress calls for paperless health records
According to politicians, the United States needs to get moving on a nationwide shift to paperless medical record-keeping. Get more details in this CNET News.com report.
Prepare to comply with HIPAA privacy standards on individually identifiable information
Healthcare organizations must comply with HIPAA standards for the privacy of individually identifiable health information. Read this classic article to make sure you know everything that is considered individually identifiable.
Is your storage management process HIPAA compliant?
The question for CIOs, IT directors, and everyone charged with securing the company's network is: When the auditors come looking at your operation, will you be HIPAA compliant?
HHS publishes final rule for HIPAA Security Standards
After four years and more than 2,300 public comments, the final rule for HIPAA Security Standards was published in the Feb. 20, 2003, Federal Register. The new rules took effect on April 21, 2003, with the deadline for compliance for most covered entities two years later on April 21, 2005. Also published in the Feb. 20 Federal Register were several modifications to the EDI transaction standards used by healthcare entities to electronically communicate healthcare information.
Thin clients can aid in HIPAA compliance
For CIOs working in the healthcare sector, thin client appliances are an excellent alternative to PCs in organizations that must comply with HIPAA regulations. This classic article discusses the benefits of thin client computing from a HIPAA standpoint.
HIPAA EDI Implementation Guides
All X12N Implementation Guides adopted for use under HIPAA and their corresponding addenda are available in three configurations from the WPC On-Line Store. Check them out here.
Private Practices & Unauthorized Use or Disclosure of PHI Top OCR's Privacy Rule Complaints
Check out the latest HIPAA news, courtesy of Phoenix Health Systems. For example, as of June 30, 2005, 13,733 complaints alleging Privacy Rule violations have been filed with the Department of Health and Human Services' (HHS) Office for Civil Rights (OCR), reports the Fort Wayne News-Sentinel.

White papers

Leveraging the Internet for HIPAA-Compliant Process Automation
Administrative and financial transactions associated with healthcare delivery make up 20% - 25% of the overall costs. Automating these processes is a main focus of HIPAA legislation—an initiative which leaves no healthcare participant on the sidelines. Read this white paper from Tumbleweed Communications to learn how companies are attempting to automate their transactions, while ensuring privacy and security of Protected Health Information (PHI).
The Seven Steps to HIPAA Security Compliance
The focus of this paper by HIPAA Academy, and sponsored by Computer Associates International, is on the HIPAA Security Rule. It also examines the seven critical steps that HIPAA Compliance and Security Officers can follow to assist organizations with their compliance initiatives.
HIPAA and Its Impact on IT Organizations: How Identity and Access Management Systems Can Play an Important Role in HIPAA Compliance
Identity and Access Management (IAM) solutions, like those available from Netegrity, a division of Computer Associates International, will aid in timely and cost-effective implementations. This paper from Computer Associates explains why, if your organization is considered a covered entity under HIPAA, you should start to think about IAM solutions.