HIPAA FOR IT PROFESSIONALS
Based on data and information forwarded to by its member DBAs
Copyright 2005 – 2010 Michael Bisconti
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. The Administration Simplification provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the US health care system.
HIPPA & TECHNOLOGY
Technology is making a great contribution to the implementation of HIPAA standards and procedures. The most important application of technology to HIPAA compliance is in the area of data storage and retrieval systems – “databases.”
There are two important regulations in terms of database development and administration: the HIPAA Privacy Rule and the HIPAA Security Rule.
HIPAA PRIVACY RULE
The Privacy Rule protects all individually identifiable protected health information (PHI) maintained by the Covered Entity. It is not specific to electronic information and applies equally to written records, telephone conversations, etc. According to the Department of Health and Human Services, PHI includes data that relates to:
The Privacy Rule’s basic mandate is that organizations may only release PHI as explicitly permitted by the Privacy Rule or with the prior written consent of the individual who is the subject of the records. The Privacy Rule also contains a number of notification requirements and administrative requirements designed to ensure proper records are maintained and that individuals are aware of their rights under HIPAA.
HIPPA SECURITY RULE
The Security Rule covers the security of electronic protected health information (ePHI). It prescribes a number of required policies, procedures and reporting mechanisms that must be in place for all information systems that process ePHI within the Covered Entity. It also prescribes a number of required and addressable implementation specifications designed to protect the confidentiality, integrity and availability of ePHI within the enterprise. These specifications fall into five categories:
The key to compliance with the Security Rule lies in the language of the law: implementing “reasonable and appropriate” measures. You should carefully evaluate each of the items your risk assessment identifies as possible security actions against this principle. If you (and your attorney) feel that the measure isn’t reasonable and appropriate when viewed in light of the type of data in question, the size of the business, the potential risk and other circumstances, it’s only necessary to document that rationale.
It’s certainly true that HIPAA has caused database professionals a number of headaches while striving to come into compliance with the law. You should, however, view this as an opportunity to focus on the security of your databases. The procedural requirements of HIPAA only apply to specific PHI/ePHI data, but they are reliable best practices for all of your data.