Privacy Standard

The Final HIPAA Privacy Ruling includes provisions for the confidentiality and protection of Individually Identifiable Health Information (IIHI) and Protected Health Information (PHI).  Note that the privacy requirements apply to information exchanged in any media (electronic, written, oral.) There are five key areas covered by the regulations:

Boundaries

• Information is used for intended purposes only
• Consumer disclosure is performed

Security

• Administrative mechanisms (operational policies and procedures) established to keep information private
• Technical mechanisms (information system protections) established to keep information private
• Physical mechanisms (facility controls) established to limit access to only those staff having an operational need to view information

• Each of the above security components is meant to be scalable to the organization that is implementing it and reflects the general operational and technical environment

Consumer Control

• Informed consent to use information for uses other than payment, treatment and healthcare information
• Right to access and amend information
• Record of disclosures must be kept and available to members

Accountability

• Federal penalties (civil and criminal) for violations
• Effective compliance activities to deter, identify and punish violators

Public Responsibility

• Process established for disclosing information for public health, research and legal purposes

Security Standard

The Draft Security Ruling includes three primary areas of focus that support the privacy and confidentiality requirements of HIPAA and establish a more consistent information system environment:

Administrative Procedures

• Certification review of systems and security program (internal or external)
• Chain of trust agreements with 3^rd party trading partners covering the requirements for patient- sensitive information
• Policies and procedures for all staff to ensure information, personnel and facility security
• Access authorization controls
• Proactive internal audits of procedures
• Personal authorization
• Security management process
• Termination process
• Employee training

Physical Safeguards

• Assigned responsibility (Security Officer or staff designee)
• Media controls over hardware and software
• Access controls
• Workstation policies
• Secure workstations
• Employee training

Technical Standards

• Access controls
• Audit controls
• Authorization controls
• Data authentication
• Entity authentication

Note that the final security ruling is expected from HHS by 6/30/02 with compliance expected by 8/31/04.

Unique Identifiers

To help simplify the communication of information within the healthcare industry and reduce the duplication of identifying information, HIPAA includes the use of unique identifiers to process all health encounter and claim information.  The Employer Identifier has been finalized and compliance is expected by 7/31/04.  The Provider and health plan identifiers are expected by the end of the summer of 2002 with compliance expected during the fall of 2004:

The Federal Tax ID number currently used by the Internal Revenue Service will be used (9 digits separated by hyphen, e.g. 00-0000000) to identify employers and employer groups.

National Provider Identifier – a proposed new eight character alphanumeric or 10 digit numeric with check digit will be used to identify providers

health plan Identifier – a national standard plan identification number will be developed and used to identify health plans.  A standard has not yet been proposed.