HIPAA Security: Impacting a Trillion-Dollar Industry
The Health Insurance Portability and Accountability Act (HIPAA) is about information efficiency, privacy and security in the U.S. health-care industry. On Feb. 20, 2003, the Department of Health and Human Services (HHS) released the final HIPAA Security Rule. This rule impacts the entire health-care industry. The industry must safeguard all patient/client information. For most organizations, this will require the deployment of a variety of security technologies that would address areas such as perimeter security, authentication, access control, confidentiality and integrity. Skilled security professionals need to better understand the HIPAA legislation and specifically the final HIPAA Security Rule so they will be able to deliver customized security solutions to this trillion-dollar industry.
The issues that relate to HIPAA deal with transaction efficiency, as well as the security and privacy of patient and medical records and information. This is very similar to the needs all businesses have to secure information related to employees, customers and suppliers.
HIPAA’s goal is to bring about national standards for consistent data formats for electronic health-care transactions. Besides data format consistency, another key benefit from HIPAA compliance is the substantial reduction in paper-handling costs for health-care claims. These costs are likely to be reduced from between $6 and $8 per claim to less than $1. As transactions are increasingly conducted electronically, there is a requirement to secure the movement of information between covered entities.
The focus of this article is on the HIPAA Security Rule. This rule is defined within the Administrative Simplification (AS) portions of HIPAA Title II. It is the Administrative Simplification portion of the HIPAA legislation that is fueling initiatives within organizations to address:
- Health-Care Transactions
- Health-Care Privacy
- Health-Care Security
HIPAA and E-Business
HIPAA is about e-business initiatives inside organizations. This will not only provide more timely availability of information, enabling faster decision-making, but it will also enable substantial cost savings and increased opportunities for revenue. HIPAA initiatives will result in the development of applications as well as the deployment of technology. It is important to note that HIPAA is a challenge from a technology perspective as much as it is a business process challenge. Careful attention needs to be paid to the business processes that would guide the application of the appropriate technology for HIPAA compliance.
Organizations need to take advantage of the guidelines laid out by HIPAA and use it to accelerate the pace for the development of e-business applications and a secure, trusted infrastructure. Use it to build a resilient enterprise that is agile and increasingly virtual. Again, rather than just another government regulation requiring compliance, HIPAA represents an enormous, unprecedented opportunity that will result in new efficiencies and enhanced profitability for the health-care industry.
HIPAA Privacy Requirement
Privacy requires policies and procedures to control who has access to protected health information (PHI). The privacy requirements of HIPAA outline specific rights for individuals regarding protected health information and obligations of health-care providers, plans and health-care clearinghouses. In general, health-care providers, plans and clearinghouses are prohibited from using or disclosing protected health information.
Any patient identifiable information is now Protected Health Information (PHI), regardless of the media form it is or was in. PHI is protected under HIPAA when data is at rest or in transit. “At rest” refers to data that is accessed, stored, processed or maintained. “In transit” means data that is transmitted in any form.
Although the HIPAA privacy regulations went into effect on April 14, 2001, no entity was required to comply with any standard or implementation regulation within the regulations until 24 months (or 36 months for small health plans) after that date, on April 14, 2003 (April 14, 2004 for small health plans).
HIPAA Security Rule
The final HIPAA Security Rule was published in the Federal Register on Feb. 20, 2003. This rule establishes the minimum level of security that covered entities must meet. This final Security Rule adopts standards for the security of electronic protected health information to be implemented by health plans, health-care clearinghouses and certain health-care providers.
According to the Department of Health and Human Services (HHS), the use of the security standards will improve the Medicare and Medicaid programs and other federal health programs and private health programs, as well as improving the effectiveness and efficiency of the health-care industry in general, by establishing a level of protection for certain electronic health information.
The confidentiality of health information is threatened not only by the risk of improper access to stored information, but also by the risk of interception during electronic transmission of the information.
Covered entities, with the exception of small health plans, must comply with the requirements of the final Security Rule by April 21, 2005. Small health plans must comply with the requirements of the final Security Rule by April 21, 2006.
The final Security Rule establishes standards for the security of electronic Protected Health Information (PHI) by covered entities. Health plans, health-care clearinghouses and health-care providers must use the security standards to develop and maintain the security of all electronic PHI. There are three categories identified in the final Security Rule: administrative safeguards, physical safeguards and technical safeguards.
Administrative safeguards are administrative actions and policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect electronic PHI and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.
Physical safeguards are physical measures, policies and procedures to protect a covered entity’s electronic information systems and related buildings and equipment from natural and environmental hazards and unauthorized intrusion.
Technical safeguards refer to the technology and the policies and procedures for its use that protect electronic PHI and control access to it.
The final Security Rule makes no distinction between internal networks and external networks—both need to be secured. Further, the final Security Rule covers electronic PHI at rest (that is in storage) as well as during transmission. Covered entities must protect electronic PHI when they transmit information. The final Security Rule requires protection of the same scope of information as that covered by the Privacy Rule, except that it only covers that information if it is in electronic form. Per the final Security Rule, a covered entity’s responsibility to implement security standards extends to the members of its workforce, whether they work at home or on site. Documentation related to the final Security Rule implementation must be retained for a period of six years.
The Wall Street Journal reported that the health-care industry spent as much as $8 billion to fix the Y2K problem. The estimates for HIPAA compliance are expected to be two to three times the number spent addressing the Y2K problem. While Y2K was about business continuity, HIPAA opens the door for enhanced efficiencies as a direct result of electronic medical records.
HIPAA is the watershed legislation for the health-care industry. Security professionals need to understand this legislation and its associated specific security re