FAQ: What is the impact of HIPAA on IT operations?

This FAQ provides guidance on how the Health Insurance Portability and Accountability Act affects IT operations, including what is required and what penalties are applied.

This FAQ guide describes the impact of the Health Insurance Portability and Accountability Act on IT operations,...

includes the guidelines that health care organizations must follow in order to meet compliance mandates, provides answers to frequently asked HIPAA questions and an overview of what penalties are involved. This is the essential toolkit for anyone involved in IT compliance as it relates to HIPAA.

What is HIPAA?

HIPAA is the Health Insurance Portability and Accountability Act of 1996. There are two sections in HIPAA:

The , Title I, provides protections for the health insurance coverage of people who lose or change jobs. HIPAA made changes to three areas in the continuation coverage rules applicable to group health plans under the Consolidated Omnibus Budget Reconciliation Act of 1985 -- or COBRA -- each of which are described more extensively by the US Department of Labor at DOL.gov.

Title II is where organizations feel the impact of HIPAA on IT operations. It includes a section that deals with the standardization of healthcare-related information systems for electronic data interchange . These mandatory regulations all required extensive changes to the way that health providers conduct business.

Compliance with HIPAA is administered by the U.S. Department of Health and Human Services (HHS), which publishes requirements and sets deadlines for organizations to comply. HHS provides up-to-date information about HIPAA at HHS.gov.

What is generally required by HIPAA?

Compliance with HIPAA requires organizations to implement safeguards and security standards when electronically storing and transmitting personal health information. HIPAA mandates standardized formats for all patient health, administrative and financial data. HIPAA also requires a unique identifier (essentially an ID number) for each healthcare entity, including individuals, employers, health plans and healthcare providers.

As the legislation was drafted, two additional rules were added to protect the privacy and safety of individuals' personal health information (PHI). These are called the Privacy Rule and the Security Rule. The Privacy Rule is the comprehensive federal protection for the privacy of PHI, according to the National Institutes of Health (NIH). More information on the Privacy Rule can be found at PrivacyRuleandResearch.NIH.gov. The Centers for Disease Control and Prevention also offers guidance on the Privacy Rule and public health.

More compliance FAQs?

Get caught up on regulations and more with our IT compliance FAQs.

The Security Rule describes best practices organizations must adopt to protect the confidentiality, integrity and availability of electronic protected health information (ePHI). The Security Rule contains three types of standards: administrative, physical and technical. These standards are wide-ranging and require the involvement of a broad mix of people, processes and technology for full compliance.

HIPAA specifically requires that public companies or those that handle personal health information monitor or retain audit trails. To meet this requirement, event log management software (ELMS) is used to monitor change management and prepare for compliance audits at enterprises. ELMS is a key tool for IT administrators who must demonstrate to executives that an organization is prepared for a compliance audit.

Although wireless devices are not detailed in HIPAA's security rule, they must be viewed in the entire system for electronically storing and transmitting data.

Many IT departments find value in a third-party assessment of HIPAA compliance. The URAC (formerly the Utilization Review Accreditation Commission), the largest accrediting body for healthcare, will certify that a healthcare organization's operations are in compliance with HIPAA standards. The URAC provides an IT department with documentation and evidence of due diligence that support an organization's overall risk management efforts. As Robert N. Mitchell wrote for AdvanceWeb.com, the URAC has reported progress on HIPAA programs.

No good way to measure HIPAA compliance
It's been years since HIPAA took effect. But for many IT pros in the healthcare sector, measuring actual compliance is still tricky.

What's the best strategy to catch up on HIPAA compliance quickly?
Learn how to build a good compliance program for HIPAA in order to protect patient information and avoid fines and penalties.

HIPAA privacy records and guidelines: Building secure systems
Learn how to achieve compliance with HIPAA certification and how to avoid and fix risks with password security, privacy regulations, records and guidelines.

Reading between the HIPAA guidelines
HIPAA legislation explains what needs to be done to achieve compliance, but it fails to spell out how. Learn how to stay HIPAA compliant when sending work overseas.

Maintaining HIPAA compliance
It's been several years since covered entities were required to comply with HIPAA. Learn how you can ensure your customers' ongoing compliance in this Ask the Expert Q&A.

Who is affected by HIPAA compliance?

The Security Rule applies to healthcare organizations that create, receive, maintain or transmit ePHI, including:

  • Healthcare providers: Providers of medical or other health services or suppliers who transmit any electronic health information.
  • Health plans: Individual or group plans, including employer-sponsored health plans, Medicare and Medicaid programs.
  • Healthcare clearinghouses: Public or private entities that process healthcare transactions from a standard format to a nonstandard format or vice versa.
  • Medicare prescription drug card sponsors: Any entity that offers an endorsed discount drug program under the Medicare Modernization Act.

As a result of the financial and legal penalties that noncompliance imposes, corporate executives have pushed financial and IT departments toward compliance validation. In the years since HIPAA's introduction, healthcare organizations have developed a clearer picture of what practices will best protect themselves and patient information.

Lake Forest Hospital's Rx for HIPAA compliance
Learn how merging networks helped one medical facility with HIPAA compliance requirements.

March to HIPAA: Bitter pill or best prescription?
SearchSecurity.com interviewed IT, security and compliance professionals across the United States over a two-month period to learn more about their progress.

HIPAA Compliance Guide
Value-added resellers and security consultants can help healthcare practitioners comply with HIPAA by educating small and medium-sized businesses (SMBs) during product sales and by implementing risk analysis.

HIPAA causes data security problems for small businesses
If your local dentist isn't complying with HIPAA's security rules, he's not alone. Experts say most doctors' offices aren't getting it.

One way to avoid HIPAA headaches
Research showed many SMBs avoided HIPAA compliance "like the plague" in the years immediately after the act's passage. One community health care provider says he found a cure.

What is the role of IT in HIPAA compliance?

Compliance is now a deeply embedded aspect of corporate IT culture. Why? HIPAA requires that the privacy of health records be protected, wherever they reside or whenever they are moved. That means the impact of HIPAA can be felt by nearly every aspect of IT operations, including messaging, storage, virtualization and even networking, so long as electronic PHI (ePHI) records are stored within or transferred over them. In turn, IT must be able to produce evidence of the security of these systems for compliance audits.

Healthcare organizations must be able to demonstrate that they have standardized mechanisms for the security and confidentiality of all healthcare-related data. From an IT perspective, there are several general guidelines that entities must follow:

  • Ensure the confidentiality, integrity and availability of all ePHI, including the protection of patient privacy by encrypting medical records.
  • Protect against reasonably anticipated threats or hazards to the ePHI the entity creates, receives, maintains or transmits.
  • Deliver visibility, control and detailed auditing of data transfer.
  • Protect against reasonably anticipated uses or disclosures of ePHI, including preventing the loss of confidential medical records via removable devices.
  • Ensure that the organization's workforce complies with HIPAA and minimizes the threat of data being stolen for financial gain.
  • Review security measures as needed to ensure reasonable and appropriate protection of ePHI.

Many enterprise IT shops use Control Objectives for Information and related Technology (COBIT) as a reference framework for this work. COBIT is an open standard that defines requirements for the control and security of sensitive data. According to WhatIs.com's definition for COBIT, the standard "consists of an executive summary, management guidelines, framework, control objectives, implementation tool set and audit guidelines. Extensive support is provided, including a list of critical success factors for measuring security program effectiveness and benchmarks for auditing purposes."

The IT departments of all companies that handle PHI must be aware of the key requirements of HIPAA, including log management, backups and the security of electronic communications. IT departments also approach HIPAA compliance through PHI flow analysis, training, policy and procedure refinement, risk analysis and self-assessment.

The impact of HIPAA can also be felt on Web 2.0 technologies like blogs, wikis and social networking. Such platforms are introducing all-new compliance headaches, as gigabytes of data are generated through messaging and sharing. If it pertains to private health records, enterprise IT professionals must prepare for the inevitable visit by a HIPAA compliance auditor looking for log files and security holes. Increasingly, compliance officers are using event log management software to track key moments where data enters or exits an enterprise, like email systems or the addition or departure of employees with access to sensitive financial data.

Perfect HIPAA security impossible, experts say
Two years after HIPAA security rules took effect, IT pros in the healthcare sector found that constant security improvements are necessary for compliance.

HIPAA security and Lotus Notes Domino
Learn how HIPAA changes will affect Lotus Notes Domino security.

What are the penalties for noncompliance?

The consequences for noncompliance with HIPAA regulations can be substantial. The severity of the penalty varies with the infraction; both civil and criminal charges may be levied by the Office for Civil Rights (OCR). The criminal penalties for violating the HIPAA privacy standards can be found in 42 USC 1320d-6 (HIPAA Sec. 1177).

It states that:

     A person who knowingly and in violation of this part:

  1. uses or causes to be used a unique health identifier;
  2. obtains individually identifiable health information relating to an individual; or
  3. discloses individually identifiable health information to another person,

Shall be punished as provided below:

  1. be fined not more than $50,000, imprisoned not more than 1 year, or both;
  2. if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and
  3. if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.

When it comes to IT operations, compliance with HIPAA has historically been accomplished as part of more generalized security preparations. Healthcare entities generally received attention only when an individual or organization made a complaint. As Kate Norton wrote for SearchSecurity.com in 2007:

Enforcement of the HIPAA Administrative Simplification rules is complaint-driven only -- and at least for the foreseeable future. Privacy rule complaints go to the U.S. Department's Health and Human Services' (HHS) Office for Civil Rights. The OCR handles civil penalties and refers potential criminal complaints to the Department of Justice. All other rules under Administrative Simplification, including the security rule, will be enforced by HHS' Centers for Medicare and Medicaid Services (CMS) Office of HIPAA Standards. This is true of all "covered entities" large and small. There is no government agency or other body that officially audits proactively for HIPAA compliance.

In 2009, however, HIPAA privacy regulations have teeth. As Randy Nash points out in a recent tip for SearchSecurity.com, the HHS has levied the penalties against a healthcare agency.

Rebecca Herold, a frequent contributor to TechTarget sites on compliance-related issues and resident editor at Realtime-ITCompliance.com, has already blogged about two organizations that have been sanctioned this year. In one case, CVS must pay $2.25 million and improve its information security practices.

Answers to frequently asked HIPAA questions

All answers are provided by security management expert Mike Rothman.

Is a lack of employee privacy a HIPAA violation?
Insufficient employee privacy for those who handle Medicare and Medicaid claims can result in a HIPAA violation. Learn how to keep this data safe and keep your organization HIPAA compliant.

As the nursing QI, do I have the right to patient information under HIPAA?
Under HIPAA's guidelines, it can be hard to tell who should have access to what information. So who makes the call?

Is it against HIPAA regulations to permanently store sensitive information?
Rothman examines the issue and brings up other issues to keep in mind.

Is it a violation of HIPAA to collect consumer Social Security numbers?
Rothman tackles the question, and unveils how to handle employees who disregard corporate policies.

Will an off-site employee exit procedure violate HIPAA regulations?
Rothman discusses if it is a HIPAA violation to discuss clients or handle business matters in a public environment.

Is it against HIPAA regulations to display client names?
Rothman discusses the terms of HIPAA -- specifically if it is a violation of the act to publicly display client names.

Let us know what you think about the story; email [email protected].

Dig Deeper on HIPAA and other healthcare compliance requirements