Lesson 2 of 7
The Health Insurance Portability and Accountability Act of
1996 (Public Law 104-191), known as HIPAA, was enacted as part of a broad
Congressional attempt at progressive healthcare reform. The
“Administrative Simplification” aspect of the law requires the U.S.
Department of Health and Human Services (DHHS) to develop standards and
requirements for the maintenance and transmission of health information
pertaining to individual patients. These standards are designed to improve the
efficiency and effectiveness of the healthcare system by standardizing the
exchange of electronic data for administrative and financial transactions and
to protect the security and confidentiality of electronic health information.
All healthcare organizations that maintain or transmit
electronic health information must comply with HIPAA regulations. This includes
providers of health plans, healthcare clearinghouses, and other healthcare
providers ranging from large, integrated delivery networks to physician’s
offices. Insurance and pharmaceutical companies are also affected.
Most entities have 24 months from the effective date of the
final rules to achieve compliance. Normally, the effective date is 60 days
after a rule is published. Here’s a list of compliance dates for specific
Transactions Rule was published on August 17, 2000; the compliance date
for that rule was October 16, 2003.
Privacy Rule was published on December 28, 2000, but due to a minor glitch
didn’t become effective until April 14, 2001. Compliance with the Privacy
Rule was required as of April 14, 2003.
final Security Rule was published April 21, 2003, with compliance required
as of April 21, 2005.
final Standard Unique Employer Identifier was published on May 31, 2002.
Compliance was required by July 30, 2004.
final rule establishing the National Provider Identifier (NPI) rule was
published January 23, 2004.
The compliance date is May 23, 2007 for most covered
entities. Healthcare providers could begin applying for NPIs as of May 23,
2005. A final standard for a Health Plan Identifier has not yet been published.
Factors to consider with HIPAA
Unlike Y2K, seen as primarily an information technology
problem, HIPAA is an issue across the enterprise. There are legal, regulatory,
process, security, and technology aspects to each proposed rule that must be
carefully evaluated before companies can begin planning and implementing. HIPAA
is a major issue in healthcare because:
time frames are short.
executives are clearly responsible for the security and confidentiality of
patient health information, yet most organizations have done little in
are significant criminal and civil penalties for noncompliance, as well as
serious liability risks for unauthorized disclosure.
is no quick fix or easy solution to meet the requirements.
For a comprehensive list of HIPAA resources, including free
downloads, see page two.
- Download: Check
HIPAA compliance with this Excel calculator
Our HIPAA compliance calculator will help covered entities determine the
status of their compliance efforts in the areas of HIPAA Privacy,
Standardization of Code Sets, Security, National Provider Identifier, and
- Online Seminar: HIPAA Demystified
Join this online seminar, hosted by ISSA and sponsored by Mirapoint, to learn how healthcare organizations can build secure messaging infrastructures to effectively address HIPAA regulations.
- HIPAA: New
standards mean big changes to healthcare information security
Designed to improve information transfer within the healthcare system, HIPAA
has radically changed the way companies manage patient records. This classic,
introductory article explains just what is expected from IT organizations
in complying with HIPAA.
- Don’t gamble
with HIPAA security compliance
The author of this article, Ramon Padilla, thinks the HIPAA security
compliance guidelines left too many loopholes for foot-dragging IT
departments. Read his recommendations for becoming compliant and
documenting your efforts.
calls for paperless health records
According to politicians, the United States needs to get moving on a
nationwide shift to paperless medical record-keeping. Get more details in
this CNET News.com report.
- Prepare to comply
with HIPAA privacy standards on individually identifiable information
Healthcare organizations must comply with HIPAA standards for the privacy
of individually identifiable health information. Read this classic article
to make sure you know everything that is considered individually
- Is your
storage management process HIPAA compliant?
The question for CIOs, IT directors, and everyone charged with securing
the company’s network is: When the auditors come looking at your
operation, will you be HIPAA compliant?
publishes final rule for HIPAA Security Standards
After four years and more than 2,300 public comments, the final rule for
HIPAA Security Standards was published in the Feb. 20, 2003, Federal
Register. The new rules took effect on April 21, 2003, with the deadline
for compliance for most covered entities two years later on April 21,
2005. Also published in the Feb. 20 Federal Register were several
modifications to the EDI transaction standards used by healthcare entities
to electronically communicate healthcare information.
- Thin clients
can aid in HIPAA compliance
For CIOs working in the healthcare sector, thin client appliances are an
excellent alternative to PCs in organizations that must comply with HIPAA
regulations. This classic article discusses the benefits of thin client
computing from a HIPAA standpoint.
- HIPAA EDI Implementation Guides
All X12N Implementation Guides adopted for use under HIPAA and their
corresponding addenda are available in three configurations from the WPC
On-Line Store. Check them out here.
- Private Practices &
Unauthorized Use or Disclosure of PHI Top OCR’s Privacy Rule Complaints
Check out the latest HIPAA news, courtesy of Phoenix Health Systems. For
example, as of June 30, 2005, 13,733 complaints alleging Privacy Rule
violations have been filed with the Department of Health and Human
Services’ (HHS) Office for Civil Rights (OCR), reports the Fort Wayne
the Internet for HIPAA-Compliant Process Automation
Administrative and financial transactions associated with healthcare
delivery make up 20% – 25% of the overall costs. Automating these
processes is a main focus of HIPAA legislation—an initiative which leaves
no healthcare participant on the sidelines. Read this white paper from
Tumbleweed Communications to learn how companies are attempting to
automate their transactions, while ensuring privacy and security of
Protected Health Information (PHI).
Seven Steps to HIPAA Security Compliance
The focus of this paper by HIPAA Academy, and sponsored by Computer Associates
International, is on the HIPAA Security Rule. It also examines the seven
critical steps that HIPAA Compliance and Security Officers can follow to
assist organizations with their compliance initiatives.
and Its Impact on IT Organizations: How Identity and Access Management Systems
Can Play an Important Role in HIPAA Compliance
Identity and Access Management (IAM) solutions, like those available from
Netegrity, a division of Computer Associates International, will aid in timely
and cost-effective implementations. This paper from Computer Associates
explains why, if your organization is considered a covered entity under HIPAA, you
should start to think about IAM solutions.
(MailGate Secure Messenger and Secure Transport)
- Teneo Solutions,
- Clark Consolidated
Industries, Inc. (Instant HIPAA Compliance Kit)
- VendorCompliance.info (Vendor compliance training)
- Lesson 1:
- Lesson 2: HIPAA
5: U.S. Patriot Act
6: European legislation
7: What’s next?
Sign up for the Compliance Regulatory Overview series
If you haven’t subscribed to this series, automatically sign up today to receive the entire Compliance Regulatory Overview series in your inbox.
We want your feedback
Lesson 2 on HIPPA was: