IQ IT: Intelligent Quality through Information Technology

HIPAA: Health Insurance Portability and Accountability Act

Enacted in 1996, the HIPAA Act was passed into law:

"to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes."  PL 104-191

Section II of the Act is commonly referred to as the Administrative Simplification provisions, and includes the HIPAA Privacy Rule and Security Rule.

Rules and Regulations in 45 CFR Parts 160  and 164 set the standards for protecting the Privacy of individually identifiable health information and for the Security of electronic protected health information. 

The Privacy Rule covers protected health information in paper, oral, or electronic form. 

From HHS Office of Civil Rights (OCR) Privacy Brief:

"A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well being. 

"The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the health care marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed."

The Security Rule applies Privacy Rule provisions to protected health information held or transmitted in electronic format (e-PHI). 

From HHS Office of Civil Rights:

"A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI."

Both the Privacy Rule and Security Rule are designed to be "flexible and comprehensive."  That means it is the responsibility of the covered entity to interpret the Rules, to determine applicability of the Rules given the size, resources, and operations of their organization, to assess and document the risk to patient information, and to implement appropriate safeguards to protect patient information.

In 2009, the HITECH Act literally changed the rules. New regulations and guidances have been issued by the Department of Health and Human Services (HHS) for Enforcement, Standards for Privacy of Individually Identifiable Health Information, and Breach Notification for Unsecured Protected Health Information, among others.

Gray Matter Consulting will assist you in interpreting and complying with HIPAA Privacy Rule and Security Rule, implementing and documenting appropriate use and disclosure, safeguards, and security measures. Gray Matter Consulting will help you keep you informed of and compliant with these evolving regulations.