911爆料网

Skip to main content

Patient/Health Information

Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act (HIPAA), which became law in 1996, was intended to improve health insurance information portability and to simplify the administration of health care information.  The Administrative Simplification provisions of HIPAA dictated that national standards for electronic health care transactions and code sets; and national identifiers for providers, health plans, and employers were established which were intended to ensure security and privacy of health information.  This resulted in the improvement of the efficiency and effectiveness of the health care system through the establishment of standards for electronic data interchange. 

Under HIPAA, 鈥渃overed entities鈥 were required by law to be HIPAA compliant.  A covered entity is a health plan, a health care clearinghouse, or a health care provider who electronically transmitted any of the 鈥渄efined鈥 HIPAA transactions.  The 911爆料网 had several areas which fell under the HIPAA definition of a covered entity and as such, we were required by law to be compliant.

HITECH Act 

The U.S. Department of Health and Human Services (HHS) issued regulations requiring health care providers, health plans, and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals when their health information is breached. These 鈥渂reach notification鈥 regulations implement provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, passed as part of American Recovery and Reinvestment Act of 2009 (ARRA).[1]

Navigation Menu

 

Resources, Policies and Related Links

U.S. Department of Health and Human Services, Health Information privacy site:

U.S. Department of Health and Human Services information for Covered Entities, Summary of the Privacy and Security Rules:

Final HIPAA Privacy Rule:

HIPAA Security Standards Final Rule:

Health Information Technology for Economic and Clinical Health (HITECH) Act: (Breach Notification for Unsecured PHI -  Interim Final Rule 鈥 August 2009):

Breach Notification Rule:

Covered Components of the 911爆料网:

 

Things to Remember

The HIPAA Privacy Rule sets standards for how protected health information should be controlled by setting forth what uses and disclosures are authorized or required and what rights patients have with respect to their health information. 

The HIPAA Security Rule sets forth administrative, physical and technical safeguards to protect the confidentiality, integrity and availability of electronic protected health information (ephi).  The standards require covered entities to implement basic safeguards to protect ephi from unauthorized access, alteration, deletion, and transmission.

The Security Rule applies only to protected health information in electronic form.  The Privacy Rule applies to protected health information in any form, if it has once been transmitted electronically.

The Security Rule contains standards that must be adopted by a covered entity.  The Security Rule also contains 鈥渋mplementation specifications鈥 that are designated as 鈥渞equired鈥 or 鈥渁ddressable鈥. 鈥淩equired鈥 implementation specifications mean that a covered entity must implement that specification.

  鈥淎ddressable鈥 means that a covered entity must assess whether the implementation specification is a reasonable and appropriate safeguard in its environment, and must implement the specification if so; if implementing the specification is not reasonable and appropriate, the covered entity must document why it would not be reasonable and appropriate to implement that specifications and must implement an equivalent alternative measure if reasonable and appropriate

Covered entities are required to do the following in general:

  1. Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains or transmits;
  2. Protect against any reasonably anticipated threats or hazards to the security or integrity of such information;
  3.  Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under the Privacy Regulations; and
  4.  Ensure compliance with the security regulations by its workforce.

 

Notice of Privacy Practices

document icon

 

For legal assistance, please contact the Office of the General Counsel at https://umsystem.edu/ums/gc/

[1] U.S. Department of Health and Human Services

Reviewed 2021-08-04