HIPAA Compliance

What is HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act that was enacted by Congress in 1996. Title 1 protects health insurance coverage when workers change jobs and Title 11 addresses Security and Privacy of Protected Health Information. The main parts of HIPAA are the Privacy Rule, Security Rule and Enforcement Rule.

The Privacy Rule

The Privacy Rule became effective April 14, 2003 and defines Protected Health Information. PHI is information such as Name, Social Security Number, or Date of Birth which could lead to identification of an individual member.
It also requires an authorization or subpoena for entities such as Sierra PHI as well as requiring entities to take reasonable steps to insure confidentiality.

The Security Rule

The Security Rule became effective April 21, 2006 and requires three kinds of security safeguards in order to be in compliance: Administrative, Physical and Technical.

Administrative Safeguards

Administrative Safeguards require written policies to explain how the entity will comply with HIPAA and highly recommended training of employees.

Physical Safeguards

Physical Safeguards require controls to be in place to limit physical access to computerized data and networks.
Example: When a computer is retired, all PHI on the hard drive must be eliminated. Also hard drives with PHI must be secured in a locked room with an alarm system.

Technical Safeguards

Technical Safeguards state PHI must be encrypted if it travels over the Internet. (SSL encryption). Networks holding PHI must be “hacker safe” and must authenticate access using a User ID and Password. Also required are documented Risk Analysis and Risk Management programs. Each entity must carefully consider the risks of their operations to ensure the security of the PHI.