HIPAA security rule compliance.

Author:McKay, Ken
Position:Health Care CENTRAL - Health Insurance Portability and Accountability Act of 1996

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires implementation of procedures to safeguard health information when it is being transmitted or maintained in an electronic format. Compliance dates are April 21, 2005 for large group health plans and April 21, 2006 for small group health plans.

A large group health plan is one that exceeds $5 million in annual receipts in the most recent plan year; a small group health plan is one with less than $5 million in annual receipts. Annual receipts are premiums paid for fully insured plans or claims paid for self-funded plans.

The Security Rule affects many covered entities, including health-care providers, health-care information clearinghouses and group health plans. The intent is to protect the integrity, confidentiality and availability of Electronic Protected Health Information (EPHI) when in transit or at rest. EPHI is defined as individually identifiable health information relating to the past, present or future physical or mental condition of an individual or information relating to the payment of care for that individual that is stored in an electronic media or transmitted in an electronic manner.

A key to determining if protected health information is electronic is original format of the data. For example, paper faxes are not considered EPHI but if the same information is faxed from a desktop computer from an electronic file, it is considered "electronic."

In general, the rule requires those covered by the law to:

  1. Ensure the confidentiality, integrity and availability of EPHI that a covered entity creates, receives, maintains or transmits.

  2. Protect EPHI against any threats to security.

  3. Protect against any uses or disclosures not permitted.

  4. Ensure your workforce is compliant with your procedures.

Compliance with this rule will be a shared responsibility between IT and HR. Certain requirements are specifically related to Human Resources functions, such as:

* Establishing Business Associate Agreements (BAAs) with entities that perform a service on...

To continue reading