Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), public law 104-191, is a 1996 U.S. statute protecting the confidentiality of medical records.. It is intended to protect the security (confidentiality) and privacy of health-case data by establishing and enforcing standards for the many organizations that handle data of that type.
HIPAA's privacy provisions have been used as guidelines in other countries. This type of legislation has equivalents in the European Union, and has impacts on transborder data flow of sensitive medical information. Such flows are far more extensive than the outsourcing of medical administrative work, and cover professional medical services that cross international borders. For example, it is increasingly common for small hospitals in Australia not to have an in-house radiologist covering emergencies at night; the images are interpreted by a radiologist during daylight hours in the U.S. In like manner, a rural U.S. emergency room might send an X-ray image to a radiologist awake in Australia. Some Application Service Providers specialize in healthcare, and have developed substantial HIPAA-related security expertise.
While HIPAA does have some rules covering health insurance, its major impact is its Title II, which provides detailed regulations, including penalties, for safeguarding Protected Health Information (PHI). Title II has five main rules:
- Privacy Rule
- Transactions and Code Sets Rule
- Unique Identifiers Rule
- Security Rule
- Enforcement Rule
The Privacy and Security rules are the chief external constraints, although the Transaction and Code Sets and Unique Identifiers will have to be part of your applications.
Proving that government can have a sense of humor, the most complex parts of Title II of HIPAA are the five "Administrative Simplification" rules. In one sense, these actually do simplify many of the technical aspects of safeguarding PHI. To the health professionals under its jurisdiction, the day-to-day operational rules became more complex. If you are in the United States, think of the last time you filled a prescription. You had to sign a HIPAA-mandated form, often electronically, allowing information release, offering you consultation, etc. The rules truly attempt to improve privacy and the opportunity for consumers to get health information.
Many health professionals are frightened about prosecution for some HIPAA violation, and it is true that felony prosecution is possible. HIPAA implementation and enforcement, however, can be relatively painless when designed by competent architects, and there is a top management commitment to education and enforcement.
HIPAA privacy rule
The most important rule established the category of "Protected Health Information" (PHI). PHI is any information associated with the health care of an individual, including all of the medical and medical payment records. With the exception of certain mental health information that the appropriate therapist certifies would be unwise for the patient to see, patients are entitled to see all information pertaining to them. Practitioners, however, can impose copying costs. It is customary, but not required, that practitioners provide other clinicians, with patient approval, all relevant information, usually with no charge. Of course, the privacy becomes relevant with the standard authorization for full disclosure to insurers. The employer paying for health care, however, does not have a right to the information.
The basic principle is that the patient usually has ultimate control of the data. The healthcare organization may reasonably require patients (or their representatives) to sign releases.
Health care providers may be required to disclose certain PHI to law enforcement or public health organizations. All US states require physicians to report suspected child abuse. Gunshot wounds usually must be reported to police. Not all infectious diseases have the same public health significance. The incidence of some, such as venereal diseases, is mostly of statistical interest. Outbreaks of diseases with epidemic potential, such as typhoid, cholera, and plague, need urgent reporting. Outbreaks of potential biological warfare agents (e.g., anthrax, tularemia) listed in the Centers for Disease Control Select Agent Program, diseases with significant epidemic or pandemic potential (e.g., highly pathogenic influenza), or of extreme lethality (Ebola hemorrhagic fever) get very quick reporting.
Perhaps the most frightening would be an outbreak of smallpox, the disease caused by Variola major is be the first major infection eradicated from the human race. An outbreak would constitute a world emergency and probable biological warfare attack.
Individuals have a right to request correction, as well as to impose reasonable requirements for communication, such as designating only one number to call with medical information. Institutions must appoint and identify a Privacy Official responsible for the overall program, as well as contacts. The Office of Civil Rights of the US Department of Health and Human Services investigates reports of HIPAA privacy violations.
Transactions and Code Sets Rule and Unique Identifier Rule
This rule truly does introduce administrative simplification, although with a cost of introducing the measures. Essentially all healthcare providers will have to file reimbursement claims electronically, using standard Electronic Data Interchange (EDI) records conformant with the general family of X12N EDI standards.
The providers will also need unique identifiers for providers and patients. There are also guidelines on anonymizing clinical data, removing a wide range of patient identifiers, so the records may be used in research.
The Security Rule
This Rule provides the administrative, physical, and technical mechanisms to support the Privacy Rule. There is considerable flexibility in implementing the Security Rule, although there are some specific requirements. Other requirements are things reasonably regarded as Best Current Practice.
In a contrary sort of way, the administrative safeguards are the most important, as they define what you are going to do. As with any system where there must be a chain of responsibility, organizations that must be HIPAA-compliant should start by naming a Privacy Officer, with backups and assistants as required. The first task of this team is to draft a set of privacy policies and procedures, and obtain buy-in from the various departments that must accept them.
The broader picture of technical security for healthcare computing
For larger healthcare organizations with multiple applications subject to external drivers, it only makes sense to implement the methods that meet the most stringent safeguards. For example, logging is an important part of HIPAA, and logs really only make sense when timestamped. If the healthcare institution also implements electronic prescribing of substances controlled by the Drug Enforcement Administration (DEA), the timestamp for that function must derive from a known reference. That is more precise a time reference than HIPAA requires, but it adds no cost to implement the same solution for both.
Healthcare security begins with security policy
No institution can implement a reasonable security program without first developing a security policy, which should be short, nontechnical, and with emphatic top management approval. Hospitals often have departments that can be resistant to imposed change, or may be in turf wars with other departments. For example, there are enough cases of kidnapped newborns that most hospitals use hard-to-remove identification tags, and have alarms if anyone tries to carry a baby out the door if not approved with a badge and perhaps a code number on a keypad.
In one hospital, the nursing director of the nursery and the director of physical plant were fighting madly, the nursing director wanting a dedicated security system for the nursery and the physical plant director wanting it to be part of the overall hospital system. Either would work, but the personalities had long gotten past that point. It may well be that the Privacy Officer, with the backing of top management, may have to force such decisions -- but it is much better to solve them diplomatically.
Medicine is full of special cases for security. For example, while many institutions try to block World Wide Web access to what software filters consider to be pornographic material, specialists in gynecology, urology, breast cancer, and other fields cannot be blocked, by Web content filters, from their professional sites.
Mental health professionals, to understand influences on their patients, occasionally needed to visit hate sites or actual pornographic sites.
Comprehensive security systems, after identifying and confirming identity of users, will match the user privileges with the sensitivity labels on protected information in the system. It may well be that the Privacy Officer, perhaps with a second observer, needs access to all PHI in the system. Personnel in the nursery, however, rarely will need access to information in the geriatric unit, and vice versa. The system should enforce the plausible case, but also allow for special overrides. A grandparent, unable to leave a bed in geriatrics, might want to see a child through the hospital television system. In this case, appropriate supervisors need to log the exception to need-to-know, and then manage the exception.
Healthcare security administration
Administrative procedures have to cover the entire staff human resources spectrum as it pertains to privacy and security. The security staff may be involved in verifying the credentials of professionals before they are hired. Once someone is a member of the staff, they need an initial security and privacy briefing and signoff that they understand their responsibilities, and then issued any devices (e.g., identification cards or security tokens) or information (e.g., password creation or digital certificates) needed for the identification and authentication processes. If any biometric methods are part of this process, security personnel need to take the appropriate measurements. Staff will need periodic retraining, or training on new systems; the Privacy Officer should keep a written record of learning objectives for privacy.
At termination, especially involuntary, security must disable accesses and collect authentication devices. The security officer must revoke all passwords and digital certificates, as well as identification badges and security tokens. Depending on the circumstances, an exit security interview may be appropriate.
If the healthcare organization outsources services, it must verify that the contractor's PHI protection is at least as strong as the facility outsourcing the work. Think long and hard about outsourcing PHI to a country not under the United States privacy laws, or the sometimes stronger European Union rules. If the outsourcing firm is multinational and does business in the United States, and it has resources under the jurisdiction of US courts, the organization outsourcing the process is in a much stronger position to enforce HIPAA compliance. The contract must include the right to approve any further outsourcing of PHI.
Emergency plans should be in effect for protecting PHI in the case of an attack, accident, or catastrophe. If there are mutual backup arrangements with other facilities, be sure PHI protection systems are compatible, and if providers bring patients from the other facility, that usually should not grant them access to the patients' PHI. There could be legitimate reasons, such as the other facility also providing backup for some hospital services, such as the clinical laboratory.
Healthcare security auditing
Internal audit, generally performed with the knowledge of the Privacy Officer but distinctly not by the Privacy staff, is an important quality control measure. As long as it does not jeopardize safety, surprise audits may be appropriate. Surprise audits are likely to be in use at most hospitals, as with checks of drug inventories. A potential intrusion should trigger an immediate audit.
Among the most important aspects of auditing is having a top management buy-in that audits are a needed part of quality control. If there were problems, and no malice was involved, there needs to be an after-audit conference, applying all ideas to solving the problem.
PHI needs appropriate access control, including physical security and user authentication. The less common practice of server authentication also can be wise to immpement. To begin with, workstations and servers with access to PHI need to be in restricted areas. When you release or retire equipment that contained PHI, thoroughly erase all storage in the equipment. Identify people with access to hardware and software that protects PHI, and briefed or monitored in their work. Sign-in logs are mandatory.
As a general principle, display screens should not be visible to the public. In practice, however, there are situations, such as in intensive care and post-anesthesia recovery, where real-time physiological data is on screens visible to anyone in the area. For the staff, instant access to that data is literally a matter of life or death. It is advisable, whenever possible, to have these screens identify bed ID rather than patient name, as long as there is positive mechanism of associating patients with beds.
There are very legitimate reasons to have PHI in portable devices such as PDAs with clinical applications, but such devices must have adequate protection, such as strong authentication, and files kept in encrypted form. The physical size of a PDA precludes most biometric safeguards, so much of the security may center around strong passwords, perhaps at multiple levels. Always encrypt their communications.
Physical security is required for all technical means
All the security software in the world cannot guard against someone physically stealing the equipment. Having the files encrypted in storage, however, still protects the PHI. The more portable the device, the more the files need encryption.
Physical security in cloud computing opens entirely new challenges and opportunities. One approach to compliance with the Security Rule is to use a federated database approach in which no logically complete file exists, in its entirety, at any one data center; a miscreant would have to steal servers from two or more locations.
Technical safeguards protect PHI stored in computer systems and transmitted between them. There is also an expectation of privacy for telephone and facsimile communications.
It is highly desirable that users should authenticate themselves with digital certificates and/or two-factor authentication. The information systems themselves need to be physically secure from intrusion, typically in a locked room with access controls.
When information flows over a public network, encrypt it. The current best practice would require at least 128-bit Advanced Encryption Standard (AES) protection. HIPAA does allow it to flow unencrypted on private networks, which is very questionable. Above all, always encrypt information transmitted by wireless media. Before the electronic communication starts, the parties must use strong authentication to confirm their identity.
While it is not required, it is good practice to encrypt files in storage, especially those in historical rather than real-time databases. Files should use a cryptographic checksum providing sequential integrity ) and record-level integrity.
Document all security practices for US government audit. Archive configuration files for servers, network elements, etc. Automatic logging of reconfiguration is highly recommended. Each provider must document the risks perceived in that organization, and how the risks are managed and mitigated.
Ironically, the "simplified" rules, in many cases, present additional complexity to clinicians and patients. There is no question, for example, that there is an additional paperwork requirement, from office to hospital to pharmacy, for informed consent forms.
Effects on medical research
- See also: Informed consent
As a reaction to the Nazi medical "experiments" in WWII, the world's medical community adopted and updated the Declaration of Helsinki [WMA] as the basic ethical document covering medical research. One of the key elements is that competent persons need to give informed consent before they participate in clinical trials. With HIPAA, this extends even to statistical meta-analysis derived from charts where the researchers never see the patient, but the researchers have access to identifying information in the chart.
In addition to HIPAA, US clinical researchers need to comply with the regulations in 21CFR11, the basic rules for human clinical trials. Again, if the institution does research, it should make sure that one underlying technical mechanism meets different email audit trails for HIPAA and 21CFR11.
Bioethicists are very aware of what they consider "research burden", since a single hospitalization often involves multiple informed consents, which can be frightening to someone not familiar with research procedure. One research group is trying to find ways to reduce the burden , but, after discussing the project with them, they are not sure they can do anything about the regulatory burden. With HIPAA, the informed consent forms become even longer because the patient has to agree to the privacy safeguards.
An interview with Dr. Roberta Ness, chair of epidemiology at the University of Pittsburgh medical center described the PEPP II retrospective study in obstetrics that recruited 12.4 women per week before HIPAA, but after HIPAA took effect, the average recruitment rate for participation in PEPP II was 2.5 women per week without a waiver, 5.7 women per week with a waiver, and 3.3 women per week since retraction of the HIPAA waiver. 
Effects on clinical care
Emergency teams can become utterly frustrated, trying to get critically needed data on a patient from a distant facility, while a functionary at the other end wanted consent from the patient faxed to them before releasing the information. This is difficult when the patient is unconscious and no surrogate was available. Hospitals should have legal counsel and senior management contacts available on a 24-hour basis, to deal with potentially life-threating situations.
Clinician-to-clinician contact often is reasonable, which gives medical professionals the information to document that they believe this is a true emergency.
Fear, Uncertainty and Doubt (FUD) is a major concern in HIPAA implementation, and there are far too many "consultants" eager to sign up for billable hours. Even in complex telemedicine, that either the regulations are not overwhelming to information technologists, with clinical backgrounds of their own, or working with medical specialists, healthcare workers can define reasonable, defensible implementations.
Government offices often are surprisingly helpful in clarifying compliance requirements. The chief problem, in fact, is finding the right government office. At present, it is the Center for Medicare and Medicaid Services (CMMS) , which formerly was the Healthcare Financing Administration (HFCA).
Email should be sent with one of:
Balancing security in disasters
In major disasters, there may come a time where medical efficiency has to override PHI protection. An early blood transfusion system that checked the patient against the unit of blood products, to avoid transfusion errors. With the technology of the 1970s, this could add several minutes. Several hospitals preferred the safeguards, but the major trauma centers were very hesitant to have anything that could slow them down in a major emergency. At a planning conference, disaster plan directors were polled to find the number of patients at which their emergency departments would go to disaster mode, and perhaps disable the safety feature.
Numbers from four to twenty patients were mentioned, until it was the turn of the United States Army Medical Department (AMEDD) representative. He smiled sadly, and suggested if people wanted to get an idea what they considered a massive casualty load, they should watch several episodes of M*A*S*H.
Such situations were considered in developing HIPAA law and regulations, which continue to evolve based on operational experience. Specific regulations that allow waiver of some rules in disaster situations. For them to apply, the President and the Secretary of Health and Human Services must make a disaster declaration, which lasts 72 hours but may be renewed. . SSpecifically, hospitals are immunized against violations of the Privacy Rule that would be limited to requirements to:
- Obtain a patient's agreement to speak with family members or friends involved in the patient’s care
- Honor a request to opt out of the facility directory
- Distribute a notice of privacy practices
- Request privacy restrictions
- Request confidential communications
Further, the hospitals must be in the declared disaster area and have instituted a disaster protocol.
There are statutory provisions that allow disclosures for treatment purpose and certain disclosures to disaster relief organizations, such as the American Red Cross notifying family members of the location of victims.
Training and compliance impact
HIPAA presents extensive training requirements. It affects the greatest number of medical information system interfaces, such as HL7 for the exchange of clinical information, EDI for claiming reimbursement. Security checklists for institutions will have the greatest number of requirements for physical inspection of equipment, focused on preventing unauthorized changes and letting unauthorized people see clinical data being displayed.
Health care organizations need to be able to document that staff have been informed of the rules, and that a responsible manager or auditor periodically checks compliance.
Threats and enforcement
- "PUBLIC LAW 104-191, AUG. 21, 1996: HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996". U.S. Department of Health & Human Services (1996). Retrieved on 2008-08-16.
- Whitman, M. & Mattord, H. (2005), Principles of Information Security, Second Edition, Thomson Course Technology
- Sainty, Katherine & Andrew Ailwood (November 2004), Managing compliance in the global space – transborder data flow, Workplace and Information Privacy Conference
- Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. 1301
- Center for Medicare and Medicaid Services, U.S. Department of Health and Human Services, HIPAA General Information
- Center for Medicare and Medicaid Services, U.S. Department of Health and Human Services, The HIPAA Law and Related Information
- World Medical Association, Ethics unit: Declaration of Helsinki
- Ulrich, CM et al. (2005), "Respondent Burden in Clinical Research: When Are We Asking Too Much of Subjects?", IRB: Ethics & Human Research 27 (4): 17-20
- Torkarski, Cathy (15 February 2005), "HIPAA Privacy Rule Thwarts Clinical Research Recruitment", Medscape
- Center for Medicare and Medicaid Services, United States Department of Health and Human Services
- U.S. Department of Health and Human Services, Is the HIPAA Privacy Rule suspended during a national or public health emergency?
- | id = 45 CFR 164.510(b)(4) | title = 45 CFR Subpart E—Privacy of Individually Identifiable Health Information, § 164.510 Uses and disclosures requiring an opportunity for the individual to agree or to object | url = http://www.lawyersandhipaa.com/510.htm | author = U.S. Code of Federal Regulations}}