HIPAA Privacy and Security Standards for the Electronic Office

Passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) -in particular, Title II, Preventing Health Care Fraud and Abuse; Administrative Simplification and Medical Liability-was intended to establish a federal floor of protections for managing the evolving technologies of storing and sharing electronic health information.

Section 261 of Title II, Administrative Simplification (AS), is overseen by the Centers for Medicare and Medicaid Services (CMS); it focuses on technology and security standards as they apply to all electronic transactions. The technology standard creates transaction and code sets (TCS) that went into effect in October 2003, as well as national identifiers for providers, insurance plans, and employers.

The security standard was established to protect data in electronic medical records (EMRs) through security configuration and information access control; it went into effect in April 2005. The purpose of these two standards is to improve the efficiency and effectiveness of America’s health care system by encouraging the use of electronic data interchange (EDI).

Section 264 of Title II, Standards for Privacy of Individually Identifiable Health Information (IIHI) (the Privacy Rule), falls under the jurisdiction of the Department of Health and Human Services’ Office for Civil Rights (OCR) and pertains to all patients’ protected health information (PHI) in any format-electronic, written, verbal, or image. This rule applies to three types of covered entities: health care plans, clearinghouses, and providers; compliance was required by April 2003.

click for large version

Figure. HIPAA requires a number of safeguards for electronic communications, including access control, firewall protection, encryption, and record disposal.

Priority 1: Security

Health care providers initially concentrated on EDI by submitting standardized electronic claims via their practice management systems (PMS) to clearinghouses or insurance companies. Only a handful of administrative parties were privy to a limited amount of patient information, such as diagnosis or procedural codes.

Now that the technology has advanced and providers are beginning to use EMRs, e-prescribing, and online communications, all of a patient’s IIHI is available to numerous clinical and administrative people in multiple locations, 24/7. Although security and privacy standards have becoming increasingly commingled, it is the security standard that dominates HIPAA compliance in the electronic office.

One year into the HIPAA security regulations, 25% of surveyed hospital and health systems indicate complete compliance and 50% state that they are close to full compliance, according to the American Health Information Management Association’s (AHIMA) 2006 survey, The State of HIPAA Privacy and Security Compliance.