Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996. As part of HIPAA, Congress called for regulations promoting administrative simplification of healthcare transactions as well as regulations ensuring the privacy and security of patient information. HIPAA is designed to protect confidential healthcare information through improved security standards and federal privacy legislation. It defines requirements for storing patient information before, during and after electronic transmission. It also identifies compliance guidelines for critical business tasks such as risk analysis, awareness training, audit trail, disaster recovery plans and information access control and encryption.
Covered Entities (CEs) must comply with the HIPAA Security Rule. This applies to health plans (e.g. HMOs and group health plans), health care clearinghouses (e.g. billing companies), or health care providers (e.g. doctors, dentists and hospital) who transmit or store any Electronic Protected Health Information (EPHI). CEs must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of their EPHI against any reasonably anticipated risks.
CEs must take appropriate measures to mitigate all reasonably-anticipated risks to their EPHI. They must balance their resources and business requirements against the risks to their EPHI. All members of a CE's workforce, including management and those who work from home, must comply with the rule.
CEs must formally document and approve a wide variety of security processes, policies, and procedures. Additionally, CEs must provide regular security training and awareness to its workforce and revise its security policies and procedures as needed.