Health Insurance Portability and Accountability Act

Published under Risk Management

Title:	Health Insurance Portability and Accountability Act (HIPAA; often misquoted as ‘HIPPA’) of 1996
Source reference:	http://www.legalarchiver.org/hipaa.htm
Topic:	U.S. Act with regard to health insurance coverage, electronic health, and requirements with regard to the security and privacy of health data
Direct / indirect relevance	Direct. The norm directly prescribes an obligation to assess security measures with regard to data processing and to take the required security precautions.
Scope:	Directly applicable to the practices governed by the U.S. Act, including in particular health insurance plans, administrative simplification in the health sector, and the processing of personal health care data
Legal force:	U.S. legislation; not applicable to health service organisations which are not subject to U.S. law. Violations are subject to civil and penal sanctions
Affected sectors:	Health care services
Relevant provision(s):	From an RM/RA perspective, the Act is particularly known for its provisions with regard to Administrative Simplification (Title II of HIPAA). This title required the U.S. Department of Health and Human Services (HHS) to draft specific rulesets, each of which would provide specific standards which would improve the efficiency of the health care system and prevent abuse. As a result, the HHS has adopted five principal rules: the Privacy Rule, the Transactions and Code Sets Rule, the Unique Identifiers Rule, the Enforcement Rule, and the Security Rule. The latter, published in the Federal Register on 20 February 2003 (see: http://www.cms.hhs.gov/), is specifically relevant, as it specifies a series of administrative, technical, and physical security procedures to assure the confidentiality of electronic protected health information. These aspects have been further outlined in a set of Security Standards on Administrative, Physical, Organisational and Technical Safeguards, all of which have been published, along with a guidance document on the basics of HIPAA risk management and risk assessment (see http://www.cms.hhs.gov/EducationMaterials/). HIPAA security standards include the following: Administrative safeguards: • Security Management Process • Assigned Security Responsibility • Workforce Security • Information Access Management • Security Awareness and Training • Security Incident Procedures • Contingency Plan • Evaluation • Business Associate Contracts and Other Arrangements Physical safeguards: • Facility Access Controls • Workstation Use • Workstation Security • Device and Media Controls Technical safeguards: • Access Control • Audit Controls • Integrity • Person or Entity Authentication • Transmission Security Organisational requirements: • Business Associate Contracts & Other Arrangements • Requirements for Group Health Plans
Relevance to RM/RA:	European health care service providers will generally not be affected by HIPAA obligations if they are not active on the U.S. market. However, since their data processing activities are subject to similar obligations under general European law (including the Privacy Directive), and since the underlying trends of modernisation and evolution towards electronic health files are the same, the HHS safeguards can be useful as an initial yardstick for measuring RM/RA strategies put in place by European health care service providers, specifically with regard to the processing of electronic health information.

Browse the Topics