Overview of Health

Insurance Portability and

Accountability Act
(HIPAA) of 1996
 Introduction

• Recognizing the need to safeguard information

in this tumultuous age, nationwide regulations,
years in the making, were introduced under the
Health Insurance Portability and Accountability
Act (HIPAA) signed into law on 1996.
• In the years that followed, it appeared that the
delays in implementation might lead to its
demise.
 Overview of
HIPAA

• The Health Insurance Portability and

Accountability Act (HIPAA) was signed
into law by President Clinton in 1996.
• The Office for Civil Rights (OCR) is the
Departmental component responsible for
implementing and enforcing the privacy
regulation.
 Overview of
HIPAA

• Guaranteeing the security and privacy of

health information has been the focus of
numerous debates.
• One of the biggest stumbling blocks to
implementation of comprehensive
standards for privacy was the associated
cost.
 Overview of
HIPAA

• The Administrative Simplification portion

of this law is intended to decrease the
financial and administrative burdens by
standardizing the electronic transmission
of certain administrative and financial
transactions.
 Overview of
HIPAA
• The Privacy Requirements went into effect on
April 14, 2003 and limit the release of protected
healthcare information (PHI) without the
patient’s knowledge and consent.
• According to the US Department of Health and
Human Services (2002), there are certain rights
provided to patients by the Privacy Rule.
 Overview of
HIPAA

• On October 16, 2003 the Electronic

Transaction and Code Set Standards became
effective.

• The Security Requirements went into effect on

April 21, 2005 and requires the covered
entities to put safeguards into place that
protect the confidentiality, integrity and
availability of protected health information
when stored and transmitted electronically.
 Overview of
HIPAA
• Safeguards need to be in place to control access
whether the data and information are at rest,
residing on a machine or storage medium, being
processed or in transmission such as being
backed up to storage or disseminated across a
network.
• HIPAA, with its privacy, confidentiality and security
regulations became the first national rules for
protecting the patient’s health information.
 Overview of
HIPAA

• As information becomes more prevalent

in electronic formats, it will be easier to
collect, store, monitor, track, exchange,
disseminate and aggregate PHI across
covered entities including healthcare
networks and data repositories.
 Overview of
HIPAA
• The HIPAA standards are designed to smooth
the path and actually increase the amount of
electronic transmissions.
• “The American National Standards Institute
(ANSI) X12N and Health Level 7 (HL7)
Standards Organizations worked together to
develop an electronic standard for claims
attachments to recommend to HHS” (Spencer
and Bushman, 2006, ¶ 2).
 Overview of
HIPAA

• HL7 was initially associated with HIPAA in

1996 through the creation of a Claims
Attachments Special Interest Group
charged with standardizing the
supplemental information needed to
support healthcare insurance and other e-
commerce transactions.
 Health Level 7
(HL7 )
• Health Level 7 (HL7) - Level Seven in HL7’s
name means the “highest level of the
International Standards Organization's (ISO)
communications model for Open Systems
Interconnection (OSI) - the application level.
• The application level addresses definition of
the data to be exchanged, the timing of the
interchange, and the communication of certain
errors to the application.
 Overview of
HIPAA

• The HL7 mission is supported through

two separate groups, the XML Special
Interest Group and the Structured
Documents Technical Committee.
• ISO is “a non-governmental organization:
its members are not, as is the case in the
United Nations system, delegations of
national governments.
 Overview of
HIPAA
• It is evident that many organizations have
guidelines, standards and rules to help
healthcare entities collect, store, manipulate,
dispose of and exchange secure PHI.
• HIPAA guarantees the security and privacy of
health information and curtails health care fraud
and abuse while enforcing standards for health
information.
 United States
and Beyond
• The Gramm-Leach-Bliley Act (GLBA) is federal
legislation in the United States to control how
financial institutions handle the private
information they collect from individuals.
• Sarbanes-Oxley Act (SOX) was legislation that
was put in place to protect shareholders as well
as the public from deceptive accounting
practices in organizations.
 HIPAA

• HIPAA Privacy Rule is intended to

enhance the rights of individuals.
• This rule provides them with greater
access and control over their PHI.
• They can control its uses, dissemination
and disclosures.
 HIPAA

• Covered entities must not only establish a

required level of security for PHI but also
sanctions for employees who violate their
privacy policies and administrative
processes for responding to patient
requests regarding their information.
Securing Information
In A Network
Fair Use of Information and
Sharing
 Copyright laws in the world of technology
are notoriously misunderstood.
 The same copyright laws that cover
physical books, artwork, and other creative
material are still applicable in the digital
world.
Offsite Use of Portable Devices
 If a device is lost or stolen, the agency must have
clear procedures in place to help insure that
sensitive data does not get released or used
inappropriately.
 The Department of Health and Human Services
(2006) identifies potential risks and proposes risk
management strategies for accessing, storing, and
transmitting EPHI. Visit this website for detailed
tabular information (p 4-6) on potential risks and
risk management strategies:
http://www.cms.hhs.gov/SecurityStandard/Downlo
ads/SecurityGuidanceforRemoteUseFinal122806.
pdf
Thought Provoking Questions
1. Joseph Kiram, a diabetes nurse educator
recently read an article in an online
journal that he accessed through his
health agency’s database subscription.
The article provided a comprehensive
checklist for managing diabetes in older
adults that he prints and distributes to his
patients in a diabetes education class.
Does this constitute fair use or is this a
copyright violation?
Thought Provoking Questions
2.Ms. Zenne Sue is a COPD clinic nurse enrolled in a
Master’s education program. She is interested in writing
a paper on the factors that are associated with poor
compliance with medical regimens and associated re-
hospitalization of COPD patients. She downloads
patient information from the clinic database to a thumb
drive that she later accesses on her home computer.
Sue understands rules about privacy of information and
believes that since she is a nurse and needs this
information for a graduate school assignment that she is
entitled to the information. Is Ms. Sue correct in her
thinking? Give your rationale.