Understanding HIPAA Privacy and HIPAA Security
Unlike earlier times, we now see an increased number of regulations and security standards implemented
by the government to ensure information security and privacy. HIPAA or the ‘Health Insurance Portability
and Accountability Act’ of 1996 was issued to address the security and privacy concerns in the healthcare
industry. This act has two sections referred to as Title I and Title II. Title I deals with healthcare access,
portability and renewability while Title II also known as the Administrative Simplification (AS)
provisions,deals with medical liability reform and measures and civil and criminal penaltiesto prevent
health care fraud and abuse.
The objective behind the drafting of the Administrative Simplification provisionsis to improve the efficiency
of the health care system by setting up rules and guidelines regarding the use and disclosure of
healthcare information. The Administrative Simplification provisions consist of five rules namely, the
Privacy Rule, the Transactions and Code Sets Rule, the IT security and compliance Rule, the Unique
Identifiers Rule, and the Enforcement Rule.These rules are applicable to covered entities and their
business associates. Employer sponsored health plans, health insurers, health care clearinghouses, and
certain health care providers are grouped under covered entities while business associates refer to those
persons and businesses whose services are used by the covered entities.
The Privacy Rule
The HIPAA privacy rule deals with the rules and standards that need to be implemented to ensure the
confidentiality of Protected Health Information (PHI), which includes details such as health status, medical
record, payment history and so on.
Covered entities are therefore mandated to:
Disclose PHI to the individual within 30 days of receiving the request.
Disclose PHI of an individual to rightful authorities in special cases like child abuse.
Make sure that under no circumstances the PHI of an individual is accessed by unauthorized
Disclose PHI with or without the individual’s permission if and only if it facilitates treatment,
payment or operations. However, covered entities must make sure to disclose only those details
required for attaining the purpose.
Act upon the request of an individual to correct inaccurate details in PHI.
To take all the necessary steps to ensure that any kind of communication with the individual does
not leak out.
To track all the disclosures made.
Be congnizant of the privacy policies and procedures.
To make the requisite arrangements for receiving complaints.
In the second part of this article, we will delve in to the security aspects of HIPAA. With the drafting of
HIPAA, healthcare industry witnessed rapid changes in the handling of PHI. HIPAA compliance definitely
is a right step in the right direction.
Read on - Hitech compliance, ISO compliance