• Home Page
• Corporate
  • BCRM Approach
  • BCRM FAQ
  • Case Studies
  • Certifications
  • Code Of Conduct
  • Company details
  • Customer satisfaction
  • Industry Endorsements
  • The Team
  • Why us?
• Policies
  • Business Continuity
  • Conflict of Interest
  • Corporate Social Responsibility
  • Data Protection
  • Disability Discrimination
  • Environment
  • Equal Opportunities
  • Health and Safety
  • Information Security
  • Personnel Screening
  • Quality
• Services
  • Health Checks
    • Business Continuity
    • Security Vetting
    • Data Protection Act
    • Software Asset Management
    • Service Management
    • Information Security
    • PCI DSS
    • Risk Management
  • Information Assurance
    • Disaster Recovery
    • Information Security
    • Physical Security
    • Employee Vetting
    • Software Asset Management
    • Risk Management
    • Identity Management;
    • Secure Disposal
  • Compliance
    • Governance Today;
    • GRC
    • FSA Compliance
    • Data Protection Act;
    • PCI DSS;
    • Sarbanes Oxley;
    • FSAP
    • Workflow and GRC;
    • Using XBRL for GRC;
    • Inspection of Records;
    • Litigation Support
    • Employment Law
    • FSA Support
    • Money Laundering
  • Management Systems Consultancy
    • ISO 9001
    • SO 14001;
    • ISO 17025
    • OHSAS 18001
    • ISO 20000
    • BS 25999;
    • ISO 27001;
    • Do you need us?
    • Auditing
    • Polices and Procedures
  • Continuous Improvement
    • ISO 9004;
    • Total Quality Management (TQM)
    • Six Sigma;
    • Capability Maturity Models;
    • ServQual / RATER;
    • EQF
    • Balanced Scorecards;
  • Certification Services
    • Standards Implemented
    • Management System Implementation Methodology
    • Consultancy to Support Certification
    • Certification Body Audit Markings
    • Certification Pre-Audit Services
    • Remediation
    • Certification FAQ
  • Digital Forensics
    • Forensic Evidence Recovery
    • Expert Witness Services
• Records Management
• Training
• Standards
  • Management Systems
    • BS 25999
    • ISO 14000
    • ISO 17025
    • ISO 20000
    • ISO 27000
    • ISO 9000
    • OHSAS 18000
    • PAS 99
  • Other Standards
    • BS 10008
    • BS 10012
    • ISO 25777
    • BS 7858
    • BS 8470
    • BS 7858
    • BS 8549;
    • ISO 15489
    • ISO 19770
    • ISO 24762
    • ISO 38500
• Legislation
  • Basel II
  • Data Protection Act
  • Financial Sector Assessment
  • Financial Services and Markets Act (UK);
  • Health Insurance Portability and Accountability Act US);
  • Markets in Financial Instruments Directive (EU);
  • Miscellaneous relevant EU Directives;
  • Payment Card Industry Data Security Standards (worldwide);
  • Sarbanes Oxley (US);
  • Single European Payments Area (EU);
• Legal
  • Copyright
  • Legal Disclaimer
  • Privacy
  • Security
  • Links to other sites
• Site Map
• Contact Us
•  

---

?

Health Insurance Portability and Accountability Act (HIPAA)

---

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996.

The goals and objectives of this legislation are to:

• enable workers of all professions to change jobs, even if they (or family members) had pre-existing medical conditions.
• guarantee security and privacy of health information
• make it easier to detect and prosecute fraud and abuse;
• reduce paperwork and costs;
• set and enforce standards for health information
• streamline industry inefficiencies;

Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs.

Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. The AS provisions also address the security and privacy of health data.

HIPAA is meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.

Within HIPAA, the 'Privacy Rule' is relevant to all Protected Health Information (PHI) including paper, electronic and other forms;

The 'Security Rule', which complements the Privacy Rile, specifically addresses Electronic Protected Health Information (EPHI).

It mandates three categories of security controls that are required for compliance:

• administrative;
• physical;
• technical.

For each of these types, the Rule identifies various security standards, and for each standard, it defines required and addressable implementation specifications:

• required specifications must be adopted and administered as dictated by the Rule;
• addressable specifications are more flexible.

Note: Individual covered entities (those that must comply with HIPAA requirements) can evaluate their own situation and determine the best way to implement addressable specifications.

The standards and specifications are as follows:

Administrative Safeguards - policies and procedures designed to clearly show how the entity will comply with the Act.

• a business contingency plan (BCP) should be in place for responding to emergencies;
• access to EPHI must be restricted to only those employees who have a justified and documented need for it to complete their job;
• covered entities are responsible for backing up their data and having IT disaster recovery procedures (DRPs) in place. The DRPs and BCP(s) define recovery priority, testing and maintenance procedures;
• covered entities must adopt a written set of privacy procedures and designate a privacy officer to be responsible for developing and implementing all required policies and procedures;
• covered entities must show that an appropriate ongoing training program regarding the handling of PHI is provided to employees performing health plan administrative functions;
• covered entities that outsource some of their business processes to a third party must ensure that their vendors also have a framework in place to comply with HIPAA requirements. This is typically a contractual and / or service level agreement (SLA) requirement and subject to audit to prove compliance. This requirement also applies to any sub-outsourcing contracts;
• internal audits must be regularly performed for all operations within the covered entity to identify policy and procedure non-conformances. These must be planned and should be routine, process based or event based;
• policies and procedures must reference management oversight and organizational buy-in to compliance with the documented security controls and procedures;
• procedures must address access authorization, establishment, modification, and termination;
• procedures should clearly identify employees, or categories of employees, who will have access to EPHI;
• procedures should document instructions for addressing and responding to security incidents and breaches that are identified either during the audit or the normal course of operations;
• procedures should exist to address any non-conformances in a timely manner.

Physical Safeguards - controlling physical access to protect against inappropriate access to protected data:

• access to equipment containing health information should be carefully controlled and monitored;
• controls must govern the introduction and removal of hardware and software from the network;
• physical and logical access to hardware and software must be limited to properly authorized individuals;
• policies and procedures are required to address proper workstation use and siting;
• when equipment is retired it must be disposed of properly to ensure that PHI is not subject to unauthorised disclosure, access or use;
• where covered entities use third party employees, they must also receive appropriate training relating to their information security responsibilities (typically induction training, supported with an ongoing awareness training programme).

Technical Safeguards - controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks from being intercepted by anyone other than the intended recipient:

• a documented approach to risk management is required, with documented results so risk treatment or acceptance decisions can be made and recorded;
• covered entities must document their HIPAA processes and procedures and make them available to the Government to determine compliance;
• covered entities must also authenticate entities with which they communicate, to ensure that they are who they claim to be;
• data corroboration, including the use of check sum, double-keying, message authentication (e.g. hashing) and digital signatures may be used to ensure data integrity;
• each covered entity is responsible for ensuring that the data within its systems has not been changed or erased in an unauthorized manner;
• in addition to policies, procedures and records, information technology documentation should also include documentation of configuration items (CIs);
• information processing systems containing PHI must be protected from unauthorised internal and external access;
• where PHI is transmitted over 'closed' networks, existing access controls are considered sufficient and encryption is optional;
• where PHI is transmitted over 'open' networks, appropriate strength and types of encryption must be used.