HIPAA FAQ

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is comprised of two legislative actions – Health Insurance Reform and Administrative Simplification. The Health Insurance Reform provisions, which require implementation of practices by health plans and insurers regarding portability and continuity of health insurance coverage, have been in effect for some time. The Administrative Simplification portion of HIPAA requires the U.S. Department of Health and Human Services (HHS) to develop standards and requirements for maintenance and transmission of health information that identifies individual patients.

HIPAA Administrative Simplification standards are designed to:

• Improve the efficiency and effectiveness of the health care system by standardizing the exchange of electronic data for administrative and financial transactions
• Reduce health care fraud and abuse
• Protect the security, privacy and confidentiality of health information

HIPAA will impose substantial compliance requirements on practically all participants in the U.S. health care system. Organizations directly impacted by the rules are known under HIPAA as Covered Entities, and the information they must safeguard is referred to as Protected Health Information (PHI) or Individually Identifiable Health Information (IIHI).

IMPACTS

HIPAA will impact all business and operational processes and information systems that store, handle, communicate or generate health information. Health care organizations will be required to reevaluate their current practices, policies and procedures for protecting the security and privacy of health information. In addition, many organizations will need to modify or replace their current systems and business processes to comply with HIPAA regulations.¹

Fortunately, HIPAA also offers health care organizations the opportunity to realize significant cost savings and operational efficiencies. Examples of the benefits that health care organizations can achieve through the successful implementation of HIPAA standards include:

• Reduced labor costs through the automation of manual processes
• Reduction in processing errors
• Shorter claims processing cycle times
• Reduced waiting time for eligibility verification
• Faster coordination between referring physicians
• Increased access to cost-saving information related to coordination of benefits
• Improvement of health data quality and completeness
• Increased consumer confidence

Back to Top

Who needs to comply?

Health care organizations that electronically send any of the transactions covered in the Final Rules are considered covered entities, and must comply with all of HIPAA standards. This includes health plans, health care clearinghouses and health care providers, from integrated health care delivery networks to small physician offices.

Initially, HIPAA privacy and security standards were envisioned as only applying to electronic health information, but the HHS has since broadened the scope of HIPAA to include health information in all media and formats.

Back to Top

What are the penalties for noncompliance?

HIPAA will enforce penalties for individuals who fail to comply with its provisions. The HHS hopes that penalties associated with HIPAA violations will add incentive for health care organizations to comply with its provisions. Under the proposed regulations, failure to comply with some or all of the provisions can lead to major fines and jail time.

Type of Noncompliance	Associated Penalties
Failure to Comply	$100 per violation;$25,000 maximum for all violations of a single requirement
Wrongful Disclosure	$50,000 and/or up to 1 year imprisonment for knowing misuse of health information;$100,000 and/or up to 5 years imprisonment if done under false pretenses; $250,000 and/or up to 10 years imprisonment if done with intent to sell information

Besides financial, criminal and civil penalties, other possible outcomes of noncompliance with HIPAA standards include:

• Submitted claims may no longer be honored by payers
• Loss of accreditation from organizations such as JCAHO and NCQA
• Increased attention from Legislative Auditors
• Negative publicity

Health care organizations could be held legally responsible for HIPAA violations if it is found that they failed to implement and enforce appropriate policies and procedures to prevent violations from happening. In extreme cases, penalties could be assessed to a covered entity’s Privacy or Security Officer.

Members of a covered entity’s workforce must receive training on their organization’s policies, procedures and practices regarding the privacy, confidentiality and security of health information. If a policy to protect PHI is in place, but it is found that employees don’t know it exists or don’t understand it, an institution can be held liable for violations.

However, if a health care organization has developed appropriate policies and procedures and can prove that it has adequately educated its workforce, then the specific person or people guilty of a willful violation could be held personally responsible and face fines and prison.

Back to Top

Who will be responsible for HIPAA enforcement?

The HHS has announced that the Office of Civil Rights (OCR) will be responsible for HIPAA enforcement. Although the HIPAA enforcement regulations have not yet been published and finalized, the OCR has already begun hiring people to handle the tasks associated with HIPAA enforcement.

Back to Top

What does the Security Rule cover?

The Security Rule was finalized on February 20, 2003, giving covered entities a compliance deadline of April 21, 2005. The function of the Security Rule is to ensure the confidentiality, integrity and availability of all electronic PHI that your organization creates, receives, maintains or transmits, and to protect PHI against any reasonably anticipated security threats or hazards.

The Security and Privacy Standards are very complementary to each other, since security policies, procedures and technologies will be required to keep PHI confidential. However, security should not be confused with privacy and confidentiality. Privacy refers to the right of individuals to control their PHI and to not have it divulged or used by others against his or her wishes. Security applies to the spectrum of physical, technical and administrative safeguards that are implemented to protect PHI.

The intent of the Security Rule is to ensure that PHI cannot be altered, misused or destroyed – intentionally or accidentally – while being electronically transmitted or stored. Thus, compliance will require appropriate technological measures and physical security safeguards to maintain the security of PHI. In addition, the Security Rule will require changes in workforce behavior by altering existing and/or implementing new administrative procedures, policies, workforce training and record-keeping practices.

HIPAA Security standards have been designed to be scalable. The standards are technology-independent in order to address the individual circumstances of health care organizations, and to allow for advances in technology. It is up to your organization to implement technologies appropriate to your exposure and level of risk.

Back to Top

What are the HIPAA Implementation Requirements?

The Security Rule requires health care organizations that engage in electronic maintenance or transmission of health information to assess their security needs and risks and devise, implement and maintain appropriate security measures to address their business requirements.

These measures include:

Administrative Safeguards – Documented, formal practices to manage the selection and execution of security measures.

Physical Safeguards – Protection of computer systems, buildings and equipment that store or transmit PHI from hazards and intrusion.

Technical Safeguards – Processes that protect and monitor information access, and prevent unauthorized access to data that is transmitted over a network.

The standards identified in the Security Rule are classified as either “Required” or “Addressable”. Required [R] standards must be implemented by all covered entities. However, an Addressable [A] standard is one for which covered entities must assess whether the standard is  reasonable and appropriate safeguard in their environment, when analyzed with reference to the likely contribution to protecting the entity’s electronic PHI.

If you determine that one or more of the Addressable standards are not reasonable or appropriate for your organization, you must document why it would not make sense to implement the standard, and implement an equivalent alternative measure (if reasonable and appropriate). If neither the Addressable standard nor a reasonable alternative is implemented, you must document why the standard is not applicable to your organization’s environment.

In deciding which addressable security measures to implement and utilize, covered entities should consider the following factors:

The size, complexity and capabilities of their organization.

Their technical infrastructure, hardware and software security capabilities.

What security measures are already in place.

The costs of implementing security measures.

The probability and criticality of potential risks to electronic PHI.

Back to Top

What are the Administrative Safeguards?

Administrative Safeguards are documented, formal practices to mange the selection and execution of security measures. The following safeguards are designated with Required (R) or Addressable (A).

Security Management Process – Covered entities must implement policies and procedures to prevent, detect, contain and correct security violations. As part of this process, covered entities must take the following steps:

Risk Analysis [R] – Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic PHI.

Risk Management [R]–- Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.

Sanction Policy [R] –- Apply appropriate sanctions against workforce members who fail to comply with security policies and procedures.

Information System Activity Review [R] – Implement procedures to regularly review records of information system activity (For example, audit logs, access reports and security incident tracking reports).

Assigned Security Responsibility [R] - Just as covered entities are required to appoint a Privacy Officer, covered entities must also identify a Security Official who will be responsible for the development and implementation of security policies and procedures.

Workforce Security – Covered entities must implement policies and procedures to ensure that all members of its workforce have appropriate access to electronic PHI, and to prevent workforce members who should not have access from obtaining access to electronic PHI. Covered entities may need to take the following steps to ensure that this requirement is addressed:

Authorization and/or Supervision [A] – Implement procedures for the authorization and/or supervision of workforce members who work with electronic PHI, or in locations where it might be accessed.

Workforce Clearance Procedure [A] – Implement procedures to determine that the access of a workforce member to electronic PHI is appropriate.

Termination Procedures [A] – Implement procedures for terminating access to electronic PHI when the employment of a workforce member ends. (For example, revoking passwords and removing keys).

Information Access Management – Covered entities must implement policies and procedures for authorizing appropriate access to electronic PHI by doing the following:

Isolating Health Care Clearinghouse Functions [R] – If a clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect electronic PHI from unauthorized access by the larger organization.

Access Authorization [A] – Implement policies and procedures for granting access to electronic PHI (For example, access to workstations, transactions, programs,

Security Awareness and Training – Just as the Privacy Rule requires workforce training, the Security Rule requires that covered entities implement a security awareness and training program for all members of its workforce that cover the following information:

Security Reminders [A] – Periodic security updates as needed.

Protection from Malicious Software [A] – Procedures for guarding against, detecting and reporting malicious software. (For example, computer viruses, worms, etc.)

Log-in Monitoring [A] – Procedures for monitoring log-in attempts and reporting discrepancies.

Password Management [A] – Procedures for creating, changing and safeguarding passwords.

Security Incident Procedures – Covered entities are required to implement policies and procedures to address security incidents, as follows:

Response and Reporting [R] – Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.

Contingency Plan – Covered entities must establish and implement policies and procedures for responding to emergencies or other occurrences (for example: fire, vandalism, system failure, natural disaster) that can damage systems that contain electronic PHI.

Data Backup Plan [R] – Establish and implement procedures to create and maintain retrievable exact copies of electronic PHI.

Disaster Recovery Plan [R] – Establish and implement procedures to restore any loss of data.

Emergency Mode Operation Plan [R] – Establish and implement procedures to enable continuation of critical business processes for protection of the security of electronic protected health information while operating in emergency mode.

Testing and Revision Procedure [A] – Implement procedures for periodic testing and revision of contingency plans

Applications and Data Criticality Analysis [A] – Assess the relative criticality of specific applications and data in support of other contingency plan components.

Evaluation [R] –  Covered entities must perform periodic technical and non-technical evaluations, based initially upon the standards implemented under the Security Rule, and subsequently in response to environmental or operational changes affecting the security of electronic PHI, that establish the extent to which the entity’s security policies and procedures meet the requirements of the Security Rule.

Business Associate Contracts and Other Arrangement [R] – A covered entity may permit business associates to create, receive, maintain or transmit electronic PHI on the covered entity’s behalf only if the covered entity obtains satisfactory assurances that the business associates will appropriately safeguard the information.

The contract between a covered entity and a business associate must provide that the business associate will:

Implement administrative, physical and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic PHI that it creates, receives, maintains, or transmits on behalf of the covered entity;

Ensure that any agent, including a subcontractor, to whom it provides electronic PHI agrees to implement reasonable and appropriate safeguards to protect it;

Report to the covered entity any security incident of which it becomes aware;

Authorize termination of the contract by the covered entity, if the covered entity determines that the business associate has violated a material term of the contract.

Back to Top

What are the Physical Safeguard Requirements?

Facility Access Controls – Covered entities must implement policies and procedures to limit physical access to their electronic information systems and the facilities in which they are housed, while ensuring that properly authorized access is allowed.

Contingency Operations [A] – Establish and implement procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan.

Facility Security Plan [A] – Implement policies and procedures to safeguard facilities and equipment from unauthorized physical access, tampering and theft.

Access Control and Validation Procedures [A] - Implement procedures to control and validate a person’s access to facilities based on their role or function (including visitor control), and control of access to software programs for testing and revision.

Maintenance Records [A] – Implement policies and procedures to document repairs and modifications to the physical components of a facility that are related to security (for example: hardware, walls, doors and locks).

Workstation Use [R] – Covered entities are required to implement policies and procedures that specify the proper functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of workstations that can access electronic PHI.

Workstation Security [R] – Covered entities must implement physical safeguards for all workstations that access electronic PHI that will allow access to workstations by authorized users only.

Device and Media Controls – The Security Rule requires that covered entities implement policies and procedures to govern the receipt and removal of hardware and electronic media that contain electronic PHI in and out of a facility, and the movement of these items within the facility.

Disposal [R] – Implement policies and procedures to address the final disposition of electronic PHI, and/or the hardware or electronic media on which it is stored.

Media Re-Use [R] – Implement procedures for removal of electronic PHI from electronic media before the media are made available for re-use.

Accountability [A] – Maintain a record of the movements of hardware and electronic media and any person responsible therefore.

Data Backup and Storage [A] – Create a retrievable, exact copy of electronic PHI before movement of equipment.

Back to Top

What are the Technical Safeguards?

Access Controls – Covered entities must implement technical policies and procedures for electronic information systems that maintain electronic PHI that will allow access only to people or software programs that have been granted access rights.

Unique User Identification [R] – Assign a unique name and/or number for identifying and tracking user identity.

Emergency Access Procedure [R] – Establish and implement procedures for obtaining necessary electronic PHI during an emergency.

Automatic Logoff [A] – Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity.

Encryption and Decryption [A] – Implement a mechanism to encrypt and decrypt electronic PHI.

Audit Controls [R] – Covered entities are required to implement hardware, software and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic PHI.

Integrity – Covered entities must implement policies and procedures to protect electronic PHI from improper alteration or destruction by implementing the following addressable requirement:

Mechanism to Authenticate Electronic PHI [A] – Implement electronic mechanisms to corroborate that electronic PHI has not been altered or destroyed in an unauthorized manner. (For example, error correcting memory and magnetic disc storage, digital signatures, check sum technology, etc.)

Person or Entity Authentication [R] – The Security Rule requires that covered entities implement procedures to verify that a person or entity seeking access to electronic PHI is actually the one claimed. (For example, biometric identification systems, Password systems, PIN systems, telephone callbacks, token systems (such as smart cards) that use physical devices for user identification, etc.)

Transmission Security – Covered entities must implement technical security measures to guard against unauthorized access to electronic PHI that is being transmitted over an electronic communications network.

Integrity Controls [A] – Implement security measures to ensure that electronically transmitted electronic PHI is not improperly modified without detection until disposed of.

Encryption [A] – Implement a mechanism to encrypt electronic PHI whenever the risk analysis shows risk to be significant.

Back to Top

What is a Covered Entity?

A health plan, a health care clearinghouse or a health care provider who transmits any health information in electronic form in connection with a HIPAA transaction.

Back to Top

What is a Business Associate?

A person or organization that performs a function or activity on behalf of a covered entity, and has access to PHI in the course of performing the function or activity, but is not part of the covered entity’s workforce. A business associate can also be a covered entity in its own right.

Back to Top

What does Chain of Trust (COT) mean?

A term used in the HIPAA Security Rule for a pattern of agreements that extend protection of health care data by requiring that each covered entity that shares health care data with another entity require that that entity provide protections comparable to those provided by the covered entity, and that that entity, in turn, require that any other entities with which it shares the data satisfy the same requirements.

Back to Top

Define Protected Health Information (PHI)

 Individually identifiable health information (IIHI) that is:

• Transmitted by electronic media;
• Maintained in any electronic media;
• Transmitted or maintained in any other form or medium.

Back to Top