The Health Insurance Portability and Accountability Act (HIPAA)-1996 is the framework for the health industries. The HIPAA legislative statute includes five titles.
The Administrative Simplification portion of HIPAA (Title II) mandated six interrelated standards – resulting in the HIPAA Privacy and the HIPAA Security Rules.
A Federal law to protect patients’ privacy consists of:
HIPAA Privacy Rule – protects the privacy of individually identifiable health information;
HIPAA Security Rule – sets national standards for the security of electronic protected health information;
HIPAA Breach Notification Rule – requires covered entities and business associates to provide notification following a breach of unsecured protected health information;
Patient Safety Rule – protect identifiable information being used to analyze patient safety events and improve patient safety
Who is affected
Covered Entity (CE)
Health care providers who transmit any health information electronically-Hospital
Health Plans- Heath insurance companies
Health care clearinghouse-Translates data content/Billing services/Intermediaries
CE: electronically transmit any health information in connection with transactions for which HHS has adopted standards.
Business Associate (BA) Business Associate (BA) performs functions on behalf of a covered entity
Data analysis, claims processing, quality assurance review, data storage, etc.
BAs may “create, receive, maintain, or transmit” PHI.
Entities and subcontractors that merely store PHI are also considered Bas
Area affected
Administrative Safeguards
Physical safeguards
Technical safeguards
Organizational Requirement
Policies and procedures and documentation requirement
SP 800-66 elaborates more on the HIPAA maps it to NIST recommended controls SP 800-53