Hipaa - Mgt 305

Running head: HIPAA

HIPAA

Ken LaGuerre

MGT 305

Abstract

         The Health Insurance Portability and Accountability Act, or better known as (HIPAA) was introduced in 1996 as an Act to help individuals keep their health insurance as they moved from one job to another. As the future brought new advancements HIPAA evolved to include much more than portability. HIPAA now includes many complex rules to protect patient privacy along with the use of information technology that transfers medical records.

Body

         Over the last two decades, people have continuously changed the way they go about their everyday lives, mostly due to the development and advancement of technology. This new technological era, more commonly known as the information revolution, was initially started by the invention of the computer chip and has nearly revolutionized every aspect of people’s lives. In today’s world, an individual is able to have access to piles of information within seconds by just a click of a button or a swipe of a screen, which in years past, might have taken a very long time to retrieve. Out of all the piles of information being accessed, one’s that deal with an individual’s overall health and wellbeing may be considered the most significant. Furthermore, the medical field has also found the advancement of technology very significant, as it allows for the best possible treatment for each patient’s health.

         Prior to the information revolution, a health patient would discuss their personal health information with the doctor then have it stored away in a locked file cabinet located somewhere in the doctor’s office. Although the filing cabinet method was very simple and secure, it was a slow process since the only access to the patient’s information would be through the doctor’s office. One of the leading problems that this method created was not being able to read the personal information of the patient correctly since it was being handwritten by the care providers. This problem created a big risk for the overall health of the patient since crucial information would be overlooked or misunderstood. Although the filing cabinet method could be considered rather inefficient, it did give the people a sense of security since they knew where their personal medical information was being stored and how it was being used.

         With the rise of the information revolution, health care provides quickly realized the possible opportunities the advancing technology presented to improve the medical field’s storing method. Of these opportunities, the most efficient would ultimately result in the process of storing patients’ medical information through electronic medical software’s rather than using the old filing cabinet method used in years past. By using electronic processing and communication for patient’s health information, the benefits were quickly realized by patients and health care providers alike; as it promoted better medical results by improving processing speed, flexibility, efficiency, and accuracy (Jeffries, 2008). This allowed doctors to have precise medical information of their patients at the click of a button, resulting in better attentiveness towards giving the best possible care for the patients’ health.

         Prior to 1996, there were no generally accepted set of security standards or general requirements to protect health information existing in the health care industry, which made many people very nervous about how their personal information was being used and who was being able to see it (Summary of the HIPAA Security Rule). Congress came to the decision that essentially something needed to be put into place to help better protect individual’s personal information in the health care industry. On August 21, 1996, the Health Insurance Portability and Accountability Act, or more commonly known as the HIPAA, was passed by the United States Congress and signed by President Bill Clinton in an effort to resolve this very issue (Summary of the HIPAA Privacy Rule). Title I of the HIPAA, which is the first of 5 total Titles currently within the act, initially started the movement in the protection for individuals health. HIPAA Title I primarily controls the accessibility a group health insurance plan has on an individual, and secondly, establishes rules on how a group plan handles a pre- existing condition (Centers for Medicare & Medicaid Services, 2013). Basically, it deals with protecting health insurance coverage towards someone who has lost or is looking for a new job (Summary of the HIPAA Privacy Rule). Although the introduction of the HIPAA was a massive step in ensuring a better protection for one’s personal information in the health care industry, the times were quickly changing and the concern for one’s privacy was continuously on the rise.

 As the new era of storing and communicating information electronically brought much improvement in the health care industry, it would however, possess many dangers as well. The possible danger that health records could be accessed by virtually anyone and then transmitted across the globe quickly with little risk of any detection had many people wondering the overall security of this new method. If a person simply stole or sold a computer that had access to one’s personal data through the hard drive, this possible danger would turn a reality. A breach of confidentiality like this would ultimately result in much personal harm for the particular individual as their personal information, which was scattered throughout the Internet, could never be removed. This very situation would especially create great distress to an individual if they had a particular medical problem or disability they wanted private from family or their workplace. It then creates a possible danger that the individual’s personal information could be altered or tampered with, resulting for even greater and more dangerous problems. Americans started to become very concerned and brought many questions about the overall security of electronic storage and transmission software’s, which held private data of personal health information.

Congress also became concerned with these possible dangers that were present in the health care industry and they recognized that more steps needed to be taken to further protect personal information from the advancing technology. They responded by creating HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information and required the Health Human Services to create the establishment of national standards for electronic health care transactions as well as national identifiers for providers of health insurance plans and the employers (Summary of the HIPAA Security Rule) . Thus, Title II of the HIPAA was born with the effort to, once and for all; ensure Americans that they no longer had to stress over the overall protection of personal medical information.

To ensure this, the Secretary of Human Health Services began the new section of the HIPAA, by publicizing new standards for the electronic exchange, privacy and security of personal health information, which came to be known as the Administrative Simplification provisions (Summary of the HIPAA Privacy Rule). Under these new Administrative Simplification provisions, the covered entities are health plans, health care clearinghouses, and health care providers who transmit health information electronically, and are expected to comply with the final regulations (Summary of the HIPAA Privacy Rule). It also allows for covered providers and health plans to disclose protected health information with a business associate.

While there are five overall rules that make up the Administrative Simplification, none may be more important to one another than the Privacy Rule and Security Rule, as they go hand in hand. On December 28, 2000, the final regulation of the Privacy Rule was published. The Privacy Rule standards address the use and disclosure of individuals’ health information by organizations subject to covered entities, as well as standards for individuals' privacy rights to understand and control how their health information is used (Summary of the HIPAA Privacy Rule). Ultimately, the HIPAA Privacy Rule was created to ensure individuals that both their health coverage and privacy of personal information were to be protected by covered entities. For the government to ensure individuals the protection of their personal privacy, the idea of this was to finally straighten out and regulate how a patient’s personal data was to be used and who had overall access to the data if an individual choose to switch care providers or insurers.

The compliance of these covered entities to the Privacy Rule went into full effect on April 14, 2003, as it also granted a one-year extension for certain smaller plans. Before this compliance of covered entities took place however, the Privacy Rule, as well as the other rules that made up the Administrative Simplification, had to put a strong emphasis on how they wanted to regulate providers in securing one’s personal information.  HIPAA then required the Secretary of Health Human Services to publish national standards for the security of electronic protected health information (e-PHI), electronic exchange, and the privacy and security of health information (Summary of the HIPAA Security Rule). This publication of national standards regarding security eventually comes to be known as the Security Rule. These two rules go hand in hand with each other because the Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that covered entities must put in place to secure individuals’ electronic protected health information, or more commonly known as e-PHI (Summary of the HIPAA Security Rule).

The Security Rule took a little longer to construct its final regulations as it didn’t publicize its Security Standards until February 20, 2003.4 The Security Rule involves the use of security safeguards with each patient's e-PHI, which ultimately creates strong barrier-like walls in an effort to protect the personal information (Summary of the HIPAA Security Rule). Mainly, the Security Rule deals with various security standards that each provider has to abide by to ensure the highest level of confidentiality and protection of all e-PHI records that a provider creates, receives, updates or sends (Jeffries, 2008). The impression behind the Security Rule is that since each provider is solely responsible for protecting each patients personal medical information from any sort of security threat, they need to be required to take the necessary security action. One of the major goals through this is to protect the privacy of each individual’s health information while allowing the covered entities to adapt to new technologies to improve the quality and efficiency of patient care. Also, providers are expected to protect their entire electronic system from any threats to its security like computer bugs or even careless workers that might cause harm to the systems.

The compliance to the Security Rule went into full effect on April 20, 2005 for most covered entities and like the Privacy Rule, gave certain smaller plans a one-year extension for compliance (Summary of the HIPAA Security Rule). The covered entities compliance with the Security Rule allows them to be protected since now they have requirements they too have to meet in order to successfully ensure the right protection of personal information (Jeffries, 2008). Much like the Privacy Rule, if a covered entity engages a business associate to help carry out health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do (Business Associates, 2003). This also requires the business associate to comply with all HIPAA Rules requirements to ensure the protection of privacy and security of the personal health information (Business Associates, 2003).

The four general requirements covered entities must follow in the Security Rule to ensure a successful protection of one’s e-PHI are that they must be able to 1) ensure the confidentiality, integrity, and availability of e-PHI that they process 2) safeguard against reasonably anticipated security threats to the data 3) protect against reasonably anticipated impermissible uses and disclosures of the data; and 4) ensure that their workforces is compliant with (Code of Regulations, 2007). These requirements make the Security Rule have a flexible of approach, allowing covered entities to choose the specific means by which to reasonably and appropriately implement the Security Rule’s requirements. Covered entities are instructed only that they should consider their size, complexity, capabilities, and infrastructure as well as the costs of implementation and the probability and criticality of potential risks to e-PHI in making their implementation decisions (Code of Regulations, 2007).

The HIPAA Security Rule’s requirements appear in two different sets of forms: standards and implementation specifications. The implementation specifications, which tell a person how a certain action should be applied, are also in two different kinds of forms which are required or addressable (Code of Regulations, 2007). The required implementation specifications are mandatory and they must be accomplished in the terms listed. In meeting standards that contain addressable implementation specifications, a covered entity will do one of the following for each addressable specification: 1) implement the addressable implementation specifications 2) implement one or more alternative security measures to accomplish the same purpose, or, 3) not implement either an addressable implementation specification or an alternative (Guide to Privacy and Security of Electronic Health Information, April 2015). Most of the implementation specifications instruct covered entities to establish or implement procedures for a particular purpose but do not provide further guidance as to how the goal can be achieved.  

The Administrative Safeguard section of the HIPAA Security Rule includes administrative actions, policies and procedures, management of the selecting, development, implementation, and maintenance of security that measures to protect e-PHI and how to manage the conduct of the covered entity’s workforce in relation to the protection of that information (HIPAA Security Rule, 2016). The standards that are dealing with the Administrative Safeguard are: Security Management Process, Assigned Security Responsibility, Workforce Security, Information Access Management, Security Awareness and Training, Security Incident Procedures, Contingency Plan, Evaluation, and Business Associate Contracts and Other Arrangements (HIPAA Security Rule, 2016). The required implementation specifications that the Administrative Safeguard focuses on are: Risk Analysis, Risk Management, Sanction Policy, Information System Activity Review, Isolating Health Care, Clearinghouse Function, Response and Reporting, Data Backup Plan, Disaster Recovery Plan, Emergency Mode Operation Plan and Written Contract or Other Arrangement. Finally, the addressable implementation specifications that the Administrative Safeguards focuses on are: Authorization and/or Supervision, Workforce Clearance Procedure, Termination Procedures, Access Authorization, Access Establishment and Modification, Security Reminders, Protection from Malicious Software, Log-in Monitoring, Password Management, Testing and Revision Procedures, Applications and Data Criticality Analysis (HIPAA Security Rule, 2016).

The Physical Safeguard section of the HIPAA Security Rule are physical measures, policies, and procedures that protect a covered entity’s electronic information systems and the related buildings and equipment, from natural and environmental hazards to unauthorized intrusion. The standards dealing with the Physical Safeguard are: Facility Access Controls, Workstation Use, Workstation Security, Device and Media Controls (HIPAA Security Rule, 2016). The required implementation specifications that the Physical Safeguards focus on are: Disposal of e-PHI and the hardware on which it is stored, and removal of e-PHI from electronic media before it is reused (HIPAA Security Rule, 2016). The addressable implementation specifications under the Physical Safeguards in which they are concerned with are: Contingency Operations, Facility Security Plan, Access Control and Validation Procedures, Maintenance Records, Accountability, Data Backup and Storage (HIPAA Security Rule, 2016).

The Technical Safeguards section of the HIPAA Security Rule refers to the technology and the policy and procedures for its use that protects electronic e-PHI and the control and access of it.  The standards dealing with the Technical Safeguards are: Access Control, Audit Controls, Integrity, Person or Entity Authentication and Transmission Security (HIPAA Security Rule, 2016). The required implementation specifications in this sections that mandates assignments are: Have an Emergency Access Procedure and a Unique User Identification. The addressable implementation specifications concerns are: Automatic Logoff, Encryption and Decryption, Mechanisms to Authenticate e-PHI, and the measures to ensure that e-PHI is not inappropriately altered (HIPAA Security Rule, 2016).

The Other Safeguards of the HIPAA Security Rule focuses on contracts with business associates and other arrangements. It details methods in which to ensure that business associates properly protect the integrity and confidentiality of e-PHI. A Business Associate is an individual or corporate person that performs on behalf of the covered entity any function or activity involving the use or disclosure of protected health information; and is not a member of the covered entity's workforce (et al., 2008). The implementation specifications state that a business associate contract must provide that the business associate will implement administrative, physical, and technical safeguards that reasonably and appropriately protect the confidentiality, integrity, and availability of the electronic protected health information that it creates, receives, maintains, or transmits on behalf of the covered entity (Business Associates, 2003).

Conclusion

Taking these precautions as a healthcare worker can prevent any complications regarding HIPAA and most importantly patient privacy. This research paper helped me understand more concepts of HIPAA I did not understand before. I learned what HIPAA is really about, the patient rights, and how important it is to prevent a breach. Learning more about HIPAA will help me in my future career. Therefore it is important for everyone to learn and understand the importance of HIPAA in a healthcare environment.

...