HIPAA is the Health Information Portability and Accountability Act. It became law in 1996. As an organization that provides health services and transmits or stores medical information electronically, we are subject to the authority of this law.
There are two fundamental components to HIPAA that we are concerned about: the Privacy statute and the Security statute. This document will focus mainly on security. From the privacy statute there are a few items that need to be identified. First HIPAA identifies protected information as PHI or protected health information. PHI is any individually identifiable health information held or transmitted by a covered entity. Middlebury College is a covered entity. PHI includes data or demographic data as it pertains to physical or mental health, health care, or the payment of care.
The security statute identifies how PHI is to be handled and what safeguards are to be in place to protect the information. As a covered entity we must ensure that on the systems that contain PHI we can ensure the confidentiality, integrity and availability of the e-PHI that is created, transmitted, received, or contained. We must be able to ensure and protect against reasonably anticipated threats; including impermissible use and disclosure. We must also ensure compliance by the individuals that use these systems.
This boils the security statue requirements and objectives down fairly concisely. There are other components such as education and the technology required to ensure compliance of this statute that is included in this and the accompanying piece of legislation called HIGHTECH. One key component of HIPAA is that it does not identify any specific type of technology rather it will identify best practices. For example it will does not state that you must use anti-virus software but rather that you must protect against reasonable a known threats. It does not say that you must use an IPS but rather that you should use intrusion detection technologies and practices. This wording helps to keep HIPAA current but also has mad implementing HIPAA confusing for some.
The objectives of HIPAA are simple, protect the confidentiality of health information and keep it available for the continuity of care. The implications of HIPAA are immense. Recognizing your role in helping the institution comply with HIPAA regulations is important.