The United States Health Insurance Portability and Accountability Act (HIPAA) has two sections:
- HIPAA Title I, which focuses on protecting citizens’ healthcare coverage if they are fired or laid off (Health Insurance Portability), and
- HIPAA Title II, which focuses on patient privacy and how to properly transmit, share and store their information (Accountability).
HIPAA created a set of universal standards for exchanging and securing personal data via electronic data interchange (EDI), the goal being to protect all data that is personally identifiable to a specific person, regardless if it is communicated orally, electronically or in writing.
The HIPAA privacy rule requires that all healthcare providers (or any other organization that processes medical records):
- inform patients of their privacy rights,
- educate and train staff on how medical data should be properly handled, and
- implement and practice the required privacy and security policies in order to ensure that electronic health information of patients remain secure.
HIPAA’s standards require that all healthcare industries apply and enforce certain protections. Implementation will vary, depending upon size, budget, risks and infrastructure complexity. Regardless of each organization’s needs, the general HIPAA requirements stay the same.
- Organizations must have an administrative authority in charge of managing and enforcing HIPAA compliance rules, regulations and efforts. There should be a clear set of guidelines in place regulating who is and isn’t permitted to access patient information. All access to sensitive data and systems should be monitored.
- Documentation should be provided to patients informing them of their rights.
- All corporate systems, machines and buildings must have physical and technical data and intrusion protection controls to prevent malicious hacker and unauthorized access.
- There must be a traffic-monitoring device, such as a firewall, in place to examine activity coming into and leaving the organization’s network.
- Management should practice risk assessments, data-handling policies, data loss prevention (DLP) and record all security policies and procedures.
The HIPAA Security Rule and Security Risk Assessment
Substance Abuse Confidentiality Regulations (42 CFR Part 2, Code of Federal Regulations)
Title 45 → Subtitle A → Subchapter C → Part 164 (Security and Privacy)
- Subpart C—Security Standards For The Protection Of Electronic Protected Health Information
- Subpart D—Notification In The Case Of Breach Of Unsecured Protected Health Information
- Subpart E—Privacy Of Individually Identifiable Health Information