University of Florida Health Science Center Information Technology Center
Search the IT Center. Visit our on-line Help Desk. List of services provided by the IT Center. Training opportunities for HSC employees.

HIPAA - An Overview


What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was passed into law on Aug 21, 1996. The law is intended to improve the efficiency and effectiveness of the heath care system by standardizing how to exchange data for specific administrative and financial transactions, while protecting the security and confidentiality of that information. Specifically the following areas are addressed:

  1. Concerns that disclosure of patient medical records could result in embarrassment, insurance declination, loss of employment, or failure to be hired in a new job;
  2. Increasing costs of data exchange in an incompatible and often competing standards environment to exchange administrative and financial data;
  3. Implement processes and systems to reduce fraud
HIPAA deals with three standards. One standard on administrative issues addresses the efficiency and effectiveness of interchanging electronic data for administrative and financial transactions such as insurance claims and payments, insurance eligibility and enrollment, and premium payments. This component also sets standards for what codes can be used to indicate the performed procedures (e.g. CPT and ICD-9 for clinical procedures and diagnosis among others), who performed the procedure (unique provider ID), and to whom the procedure was performed (unique patient ID.)

Security and privacy are the other two standards. HIPAA requires security of Individual Identifiable Health information (IIHI) and mandates privacy, security, confidentiality, and controlled and auditable access to IIHI information. This has a MAJOR impact on how we currently store and allow access to patient data.

What does HIPAA mean to me?

HIPAA forces us to examine closely how we manage patient information stored on the infrastructure we manage. We all have safeguards to prevent unauthorized users from accessing 'sensitive' information, but we are now faced with HIPAA's fundamental requirement that inserts individual (i.e. patient) into the equation with new rights to control their own information. Apart from the right to inspect, amend and correct their confidential health information, patients now have also the right to control what information can be released and to whom. They are also entitled to be informed of historical transactions against their records, including any transfer of data to other individuals or organizations.

It is essential that everyone understand the difference between "privacy" and "security"; you can have very secure systems where privacy is non-existent. Security involves the means to protect information from unauthorized access. Privacy involves control of access to information as dictated by the authorization of the owner of the information and/or the subject of the information (i.e. the patient).
Therefore, be aware that implementing processes, procedures and systems to meet only HIPAA's security requirements is not sufficient and will fail any compliance tests.

The privacy standards of the HIPAA outline specific rights for the individual (the patient) regarding their health information and obligations to keepers of the data.

   These rules would:
 

  1. Only permit health information to be used and shared easily for treatment, payment and operations for healthcare;
  2. Only allow health information to be disclosed without patient authorization for certain purposes (such as research, public health, and oversight) but only under defined circumstances;
  3. Require written authorization for use and disclosure of health information for other purposes;
  4. Create a set of practices to inform patients how their information is used and disclosed, and ensure they have access to information about them; and
  5. Require health plans and providers to maintain administrative and physical safeguards to protect the confidentiality of health information and guard it from unauthorized access.
Under the proposed rule, we would be prohibited from using or disclosing health information except as authorized by the patient or specifically permitted by the regulation. Note that protection for health information would start when information becomes electronic either by being sent electronically in a specified transaction, or by being maintained in a computer system. Printed copies of electronic information are also protected under the new rule.

At this point it is important to note that these protections are mandated if the information identifies a specific individual. This means that it is OK to use de-identified health information in any way we choose, as long as identifiers have been "stripped" and a key is not disclosed that would allow the information to be re-identified.

When may HIPAA not apply

HIPAA did exclude a class of transactions from many, but not all, of the Act's requirements. Specifically, those transactions necessary for treatments, payments and operations for healthcare are not governed by the regulations. However, if such transactions ultimately result in a violation of patient's rights, the repercussions may be significant. Think in this context of potential problems such as interception, delivery to the wrong party, or that more than the minimum data necessary to satisfy the transaction are exchanged.

The general rule is that protection of health information starts when patient information becomes electronic either by being sent electronically or by being maintained in a computer system. Note that paper printouts of electronic information are also protected under the new HIPAA rules.

What is my responsibility in complying with HIPAA
Now that we know we have a problem, we find that we must:
 

  1. Secure all medical records from unauthorized access even amongst our own employees.
  2. Adopt policies, procedures, controls, audit trails and systems which will assure medical data will not be revealed or disclosed for any purpose other than payment and treatment without the express "written" consent of the patient.
  3. Provide strong authentication for all access, transfer or movement of medical information.
  4. Make certain that information being disclosed in any manner is not in violation of patient consent.
  5. Log all access, transfers and use of patient data, including for backup purposes and audit those accesses transfers and uses against patient authorization.
What is the Impact on IT Operations

Just HIPAA's security mandate alone will have a significant impact on our daily operations. For starters, think of all the local databases you may have on your file servers that contain IIHI. You are faced with several issues such as data security, data integrity (think virus!!), back up, off site storage, access control, access administration, programming controls, media storage, workstation security, data transmission including e-mail, and authentication. HIPAA calls for: 1)documented formal procedures for selecting and executing security measures; 2)physical safeguards to protect computer systems and other pertinent equipment from fire, other hazards, and intrusion; 3)processes to protect, control and monitor access to the information; and, 4)processes to prevent unauthorized access to the data when transmitted over communication networks or when data physically moves from one location to another using media such as magnetic tape, removable disks or CD media.

Dealing with confidentiality requires that audit mechanisms be in place to record and examine any access to IIHI. Many of the databases we currently use to store patient information do not have audit mechanisms. Keep in mind that the patient has the right to audit who accessed their information.

What do we need to do and by when?

All entities subject to the regulations will need to be in full compliance within two years. These entities include all payers, providers and business partners that collect, store, disclose and/or transmit health care data in electronic format. This means that you have a problem NOW if you store any kind of patient identifiable information on any computer-based systems under your control and have not already addressed the privacy and security issues mandated by the HIPAA regulations. For those of us that maintain laptop computers with IIHI information, there are additional hurdles and issues including computer theft.

What if I don't Comply after the Deadline?

There are significant criminal and civil penalties for non-compliance, as well as serious liability risks for unauthorized disclosure of IIHI. The law calls for several significant monetary penalties and imprisonment for extended periods of time.

How will we reach compliance?

Learn and understand the impact of the HIPAA provisions of the proposed security regulations on your shop. Identify the systems containing IIHI covered under HIPAA and conduct a risk assessment to evaluate the potential risks and vulnerabilities. Assess your current security and privacy practices. Begin working on policies, procedures, and technology for managing and monitoring patient confidentiality and security. Look at your computer systems and network: limit physical access to systems containing IIHI, develop policies and procedures for removal, replacement and disposal of hardware and media. Develop instructions and procedures for secure use of computer workstations. Assess the need for on-going training and user education on the HIPAA regulations and your policies and procedures.

How to get help?

The HSC and Shands HealthCare leadership will be working with faculty, physicians, residents, students, and staff to provide needed support in becoming compliant with the HIPAA regulations. We all must become informed and aware, and support the processes we need. There are a number of WEB sites that provide additional information.

Jan J. van der Aa, Director, HSC IT Center
December 8, 2000

About this Site
Contact Information
Disclaimer
Privacy Statement
 IT Center
PO Box 100152
Gainesville, Florida 32610-0152
Last updated: Tuesday, 11-Jul-2006 10:39:51 EDT

UF Health Science Center | UF Health Science Center Jacksonville
Copyright © 2005 | University of Florida