Home | Mission | Services | Support | HIPAA Compliance | Web Hosting | Contact Us

What is HIPAA?

The Health Insurance Portability & Accountability Act of 1996 (August 21), Public Law 104-191, which amends the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act.

Title II includes a section, Administrative Simplification, requiring:

1. Improved efficiency in healthcare delivery by standardizing electronic data interchange, and
2. Protection of confidentiality and security of health data through setting and enforcing standards.

More specifically, HIPAA calls for:

1. Standardization of electronic patient health, administrative and financial data
2. Unique health identifiers for individuals, employers, health plans and health care providers
3. Security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present or future.

The bottom line: sweeping changes in most healthcare transaction and administrative information systems.

WHO IS AFFECTED? All healthcare organizations. This includes all health care providers, including 1-physician offices, health plans, employers, public health authorities, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations, and universities.

ARE THERE PENALTIES? You bet. HIPAA calls for severe civil and criminal penalties for noncompliance, including: -- fines up to $25K for multiple violations of the same standard in a calendar year -- fines up to $250K and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information

COMPLIANCE DEADLINES? Most entities have 24 months from the effective date of the final rules to achieve compliance. Normally, the effective date is 60 days after a rule is published. The Transactions Rule was published on August 17, 2000. So the compliance date for that rule is October 16, 2002. The Privacy Rule was published on December 28, 2000, but due to minor glitch didn't become effective until April 14, 2001. Compliance is required for the Privacy Rule on April 14, 2003.

HOW WILL WE BE AFFECTED? Broadly and deeply. Required compliance responses aren't standard, because organizations aren't. For example, an organization with a computer network will be required to implement one or more security authentication access mechanisms - "user-based," "role-based," and/or "context-based" access - depending on its network environment.

Effective compliance will require organization-wide implementation. Steps will include:

• Building initial organizational awareness of HIPAA
• Comprehensive assessing of the organization's information security systems, policies and procedures
• Developing an action plan with deadlines and timetables
• Developing a technical and management infrastructure to implement the plan
• Implementing a comprehensive action plan, including
  • Developing new policies, processes, and procedures
  • Building "chain of trust" agreements with service organization
  • Redesigning a compliant technical information infrastructure
  • Purchasing new, or adapting, information systems
  • Developing new internal communications
  • Training and enforcement

It all seems a little overwhelming, doesn’t it? The following points will make it easier to understand:

Secure Office Components

Network Security. How do you control who has access to your network (and ultimately your data)? How often do you require password changes? Are users allowed to repeat passwords? Who has access (physically) to your server(s)? do you have “shared” user logins?

Backup. Do you have a backup strategy? Does it include offsite rotation? Have you tested the restore and recover process?

Virus Protection. Virus attacks can bring down your systems and cost your business money in lost sales and data. Doe you have current licensing? How often do you update you virus definitions? Is it enterprise wide or at the user PC level?

Firewall. By placing firewalls at Internet gateways and at points of access to your organization's servers, you create a "safety gate" for your company, protecting your systems from Internet hackers and malicious internal users. What firewall solution do you have in place? Is it hardware or software based?

Content Filtering. Good content filtering provides extensive filtering by subject, words, users, keywords, attachments, and other features. What is your content filtering solution?

Internet Security. Do you know who has access to the internet? Are they able to download files and/or programs?

Virtual Private Networking. Does your company have staff working on the road or branch offices that access your network remotely? Do you have off-site data centers where your servers are located? A Virtual Private Network (VPN) on your network will create a secure "tunnel" between your server and the outside users. What is your VPN Solution?

Detailed Project Planning. Has your organization conducted a comprehensive, organization-wide inventory of its information systems?

Did you answer "no" or "I don't know?" to any of these questions? Not to worry, these are exactly the problems that ITMaine will help you to uncover and solve.

Further HIPAA Information, choose one of the following links:

Centers for Medicare and Medicaid Services | Office for Civil Rights | Department of Health and Human Services

Please note that this Web page is for informational purposes only and should not be considered legal advice.

Copyright © 2001-2002 ITMaine, LLC. All Rights Reserved. Acceptable Use Policy  Privacy Policy