View stunning SlideShares in full-screen with the new iOS app!Introducing SlideShare for AndroidExplore all your favorite topics in the SlideShare appGet the SlideShare app to Save for Later — even offline
View stunning SlideShares in full-screen with the new Android app!View stunning SlideShares in full-screen with the new iOS app!
Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions (US DEPT)>
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 Public Law 104-191 is an act that specifies the privacy, security and electronic transaction standards with regard to patient information for all health care providers. It was assigned into law on August 21, 1996 and came about in response to rapidly expanding technology and the need for standardization in the health care industry (Choi, 2006).
HIPAA has developed regulations protecting the privacy and security of certain health information by establishing the privacy rule and the security rule (US Dept of H & H).
HIPAA directed the U.S. Department of Health and Human Services (HHS) to promulgate a regulation—the Privacy Rule—to protect and enhance the right of consumers to control how their personal health information is used and disclosed. Specifically, the Privacy Rule:
stipulates the individual rights of consumers to control their personal health information, including guaranteed access to their medical records and a clear avenue of recourse if their medical privacy is compromised;
outlines the procedures organizations must adopt to enable patients to exercise their privacy rights, including proper notification of how their personal health information is used and shared;
establishes the conditions under which individuals or organizations may use and/or disclose personal health information;
sets an industry standard for disclosing only the minimum amount of information necessary to satisfy an authorized request for patient information; and
requires organizations to appoint a privacy officer to conduct privacy assessments, create policies to protect patient privacy, train staff, and establish an internal grievance process (NGA).
HIPAA directed the U.S. Department of Health and Human Services (HHS) to promulgate regulation, the Security Rule, to ensure the integrity, safety, and security of patient medical information when collected, exchanged, or otherwise used in the health care marketplace.
The Security Rule established the organizational standards, administrative, physical, and technical, that covered entities must adopt to prevent unauthorized access to patient health information. It assures the safety and integrity of patient health information when consumers exercise their health privacy rights under HIPAA (NGA).
The Security Rule applies only to protected health information in electronic
form (EPHI), and requires a covered entity to ensure the confidentiality, integrity, and
availability of all EPHI the covered entity creates, receives, maintains, or transmits.
Covered entities must protect against any reasonably anticipated threats or hazards
to the security or integrity of such information, and any reasonably anticipated uses
or disclosures of such information that are not permitted or required under the
Privacy Rule; and ensure compliance by its workforce (USHHS).
The HIPAA security standards apply to protected health information (PHI) that is either stored or transmitted electronically. PHI is health information in any form that personally identifies a patient (Kibbe, 2005). Although HIPAA pertains to all forms of PHI (verbal, paper, and electronic), currently only the electronic formats are addressed in the Security Standards Final Rule published in February 2003(Bradford, 2008).
Safeguards are the solutions and tools used to implement security policies. Individually identifiable health information should be protected with reasonable technical, physical and administrative safeguards to ensure its confidentiality, integrity, and availability to prevent unauthorized or inappropriate access, use, or disclosure (OCR).