The Health Insurance Portability and Accountability Act (HIPAA) became law in 1996 and was intended to improve health insurance information portability and simplify the administration of health care information.  

The Administrative Simplification provisions of HIPAA dictated that national standards for electronic health care transactions and code sets; and national identifiers for providers, health plans and employers were established, which were intended to ensure security and privacy of health information. This resulted in the improvement of the efficiency and effectiveness of the health care system through the establishment of standards for electronic data interchange.  

Under HIPAA, 鈥渃overed entities鈥 are required by law to be HIPAA compliant. A covered entity is a health plan, a health care clearinghouse or a health care provider who electronically transmits any of the 鈥渄efined鈥 HIPAA transactions. The University of 亚洲影院 has several areas which fall under the HIPAA definition of a covered entity, and as such, we are required by law to be compliant. 

Health Information Technology for Economic and Clinical Health Act 

The U.S. Department of Health and Human Services (HHS) issued regulations requiring health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their health information is breached. These 鈥渂reach notification鈥 regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA). 

Privacy and Security Rules 

The HIPAA Privacy Rule sets standards for how protected health information should be controlled by setting forth what uses and disclosures are authorized or required and what rights patients have with respect to their health information.  

The Privacy Rule applies to protected health information in any form, if it has once been transmitted electronically. 

The HIPAA Security Rule sets forth administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of electronic protected health information (ePHI). The standards require covered entities to implement basic safeguards to protect ePHI from unauthorized access, alteration, deletion and transmission. 

The Security Rule applies only to protected health information in electronic form 

The Security Rule contains standards that must be adopted by a covered entity.  The Security Rule also contains implementation specifications that are designated as required or addressable.  

  • Required implementation specifications mean that a covered entity must implement that specification. 

  • Addressable means that a covered entity must assess whether the implementation specification is a reasonable and appropriate safeguard in its environment, and, if so, must implement the specification. If implementing the specification is not reasonable and appropriate, the covered entity must document why it would not be reasonable and appropriate to implement that specification and must implement an equivalent alternative measure if reasonable and appropriate. 

Covered entities are required to do the following in general: 

  • Ensure the confidentiality, integrity and availability of all electronic protected health information the covered entity creates, receives, maintains or transmits; 

  • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information; 

  • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Regulations; and 

  • Ensure compliance with the security regulations by its workforce. 

 

Resources, Policies and Related Links