Most nurses have heard the term, but what exactly is HIPAA? More than 10 years ago, experts recognized that electronic transmission of health information could reduce the costs of paper-based insurance processing, but a common national electronic code would be needed. This "portability" of individually identifiable Protected Health Information (PHI) would also require "accountability" to the public for privacy and security. Therefore, the U.S. Congress created the Health Insurance Portability and Accountability Act (HIPAA) of 1996 for "administrative simplification" of electronic health information transactions. HIPAA includes finalized standards with compliance dates (for electronic transactions, privacy, security, and a unique identifier for employers), and proposed standards (for enforcement with civil and criminal penalties, unique identifiers for healthcare providers and health plans, and an electronic signature). These national standards apply to "covered entities" such as a healthcare provider or health plan. Ensuring accountability demands both organizational standards for people and technology standards for devices. Some implementation of the standards is flexible; the rules are "scalable" (adaptable to the size of the entity), "technology neutral" (entity can select appropriate technology solutions), and some implementations are not "required" but are "addressable" (alternative approaches considering relative risks and costs to the entity).
Security Rules
The recently published final rule on security was designed to protect electronic PHI confidentiality (safe from wrongful access), integrity (safe from alteration), and availability (safe from loss) (DHHS, 2003). The security standards pertain only to patient data in electronic form; patient data in paper form will not have this protection. Electronic data means both storage media (hard drives, magnetic disks and tapes, optical disks) and transmission media (Internet, dial-up lines). The final rule contains administrative policies, physical safeguards, and technical safeguards.
Required administrative policies include security management, a security official, risk analysis, identification and response to a security incident (breach), a sanction policy, information system activity review (similar to an audit), and a contingency plan for data backup, system failure, environmental disaster recovery, and emergency situations. The data backup plan requires the entity to create and store retrievable, exact copies of electronic patient data. Addressable administrative policies include procedures to authorize access to PHI and security training.
Required physical safeguards include policies that limit physical access to the facility, workstations, electronic devices, and media. A policy is required for the movement and disposal of any electronic PHI.
Required technical safeguards include a unique user name or number for identification and authentication of permission to access PHI. In an electronic health file, the activity of any user is permanently recorded, can be examined at a later date, and has nonrepudiation (individual cannot deny accessing information). Addressable technical safeguards include automatic logoff, encryption, integrity, and corroboration (evidence that PHI was not altered). Integrity safeguards ensure that the electronic patient data are clearly represented in the original format, complete, correctly identified, retrievable, and have not been altered, destroyed, or wrongfully transmitted.
Learning More
The time has come to learn about the security advantages of electronic records! Invite your security officer to a staff meeting, read about security in the informatics textbooks, and request presentations on informatics at nursing conferences. Be wary of commercial software developers who broadcast impending disaster. Visit the HIPAA Web site or sign up for the HIPAA Outreach Listserv sponsored by the National Institutes of Health (CMS, 2003;NIH, 2003).
References