Page033

HIPAA

One of the more important regulations is HIPAA, the Health Insurance Portability and Accountability Act that was developed in the United States in 1996. HIPAA is a large and complex set of provisions that required changes in the healthcare industry. The Administrative Simplification portion, Title II, contains the information most important to information security professionals and includes the Privacy and Security Rules. The Administrative Simplification portion applies to what are termed covered entities, which includes health plans, healthcare providers, and clearinghouses. See the note below for additional information regarding HIPAA’s applicability.

Note:
Though not testable at the time of this book’s printing, HIPAA has now become more widely applicable due to recent legislation. The Health Information Technology for Economic and Clinical Health Act (HITECH Act), which was signed into law as part of the American Recovery and Reinvestment Act of 2009, extended the privacy and security requirements under HIPAA to those that serve as business associates of covered entities. An additional component added by the HITECH Act is a requirement for breach notification. General breach notification information will be discussed in the next section.

The Privacy and Security portions are largely concerned with the safeguarding of Protected Health Information (PHI), which includes almost any individually identifiable information that a covered entity would use or store. The HIPAA Security Rule includes sections on Administrative, Physical, and Technical safeguards. Each safeguard is considered either a required or addressable implementation specification, which speaks of the degree of flexibility a covered entity has in implementation.

Exam Warning:
Breach notification laws are still too recent and mutable to be considered testable material, but their importance to the marketplace will make them a subject of test questions in the very near future.