By Pincock, Corey
Security Management , Vol. 47, No. 6
The Department of Health and Human Services (HHS), after more than four years of debate and deliberation, has issued the final rule for Health Insurance Portability and Accountability Act (HIPAA) security standards. Large healthcare plans and providers have until April 21, 2005, to comply, while small healthcare plans and providers must be in compliance by April 21, 2006. It look years to finalize this rule because HHS wanted the standards to be technically accurate yet technology neutral, comprehensive but not overwhelming, and effective without involving excessive government regulation.
HHS created the rule taking into account thousands of comments and suggestions it received from healthcare providers, health plans, industry groups, professional societies, law firms, public interest groups, government entities, and private individuals.
Despite the care taken in crafting the security rules, any organization that handles electronic protected health information (PHI) now faces some challenges in how to get into and main in compliance-or face the penalties, which include fines up to $250,000 and even imprisonment. Following is an analysis of the standards that comprise the rule, as well as the implementation specifics that outline how each of those standards is to be addressed in practice.
Structure of the rule. The security rule is more comprehensive and taxing than the HIPAA patient privacy rule that was finalized last year and went into effect in April 2003. While the privacy rule gave patients the right to control the disclosure of their health-related information, the security rule requires healthcare organizations to proactively protect the confidentiality, integrity, and availability of "all electronic protected health information the covered entity creates, receives, maintains, or transmits." The security rule comprises 18 (sometimes overlapping) standards that fit into three areas: administrative, physical, and technical safeguards. Before addressing these rules, however, it is important to define the key concepts involved.
Covered entities. Only an organization that is considered a covered entity (CE) is obligated to follow HIPAA standards. Not every healthcare-related business is necessarily a CE. Covered entities are defined in the rule as health plans, healthcare clearinghouses, and healthcare providers.
Health plans, such as group health plans, health insurance issuers, health maintenance organizations (HMOs), and certain government health programs, are defined as an individual or group health plan that provides or pays the cost of medical care.
Healthcare clearinghouses are entities that process nonstandard formatted health information received from another covered entity and convert it into a standard format, or vice versa. Healthcare providers sometimes use a healthcare clearinghouse to send their paper-based claims for conversion into a standard electronic format that is more efficiently processed by the payer of the claim without the overhead of stamps, envelopes, and other expenses.
A healthcare provider is an entity that provides care, services, or supplies related to the health of an individual or that furnishes, bills, or is paid for healthcare services or supplies in the normal course of business. Most importantly, it transmits health information in electronic form in connection with a covered transaction. Covered transactions are:
* Health claims and equivalent encounter information
* Enrollment and disenrollment in a health plan
* Eligibility for a health plan
* Healthcare payment and remittance advice
* Health plan premium payments
* Health claim status
* Certification and authorization of healthcare referrals
* Coordination of benefits
If a healthcare provider does not engage in a covered transaction, it is not a covered entity. So, for example, if a chiropractor keeps all his patient information on a computer but he does not take insurance or Medicare, he is not subject to the HIPAA privacy and security rules. …