HIPAA Compliance
Protected health information
HIPAA is an acronym for the Health Insurance Portability and Accountability Act. This Act deals with two separate issues, Portability and Accountability. It was introduced in 1996 and fully implemented in 2003.
Portability addresses the issue of a person moving from one job to another and being able to carry their pre-existing medical conditions into the new medical insurance policy at no additional cost to them. Prior to the introduction of HIPAA, if a person changed jobs and therefore lost their insurance coverage, the next insurance company they used could classify their existing health needs as “pre-existing conditions” and in doing so would not be liable to pay for the medical expenses to cover that condition. For example, if a person was regularly taking prescription medicine for high blood pressure, the new insurance provider could refuse to pay for his medication under the pre-existing condition clause in their policy.
Accountability addresses the issue of protecting the confidentiality of patient data. When a software program stores patient data, HIPAA requires that the data be stored in a way that unauthorized persons cannot access the data and that patient privacy is protected and their preferences regarding who can see what data are honored.
HIPAA in a Nutshell
There are three requirements for a piece of software to be deemed HIPAA compliant:
- The software contains specific features that protect patient data from misuse and manage patient preferences regarding who has access to their data.
- The software has been designed, built and tested using a disciplined, controlled and fully documented Quality Assurance methodology.
- The company creating the software has an adequate Supporting Infrastructure.
Data Protection required by HIPAA
- Encryption of patient health information
- Protection against improper disclosure
- Controlled access to information by workforce
- Regular reviews of system activity
- Guards against malicious software
- Data transfer security
- Record retention and data destruction
- Automatic log off due to inactivity
- Full audit trail
- Applicability to all partners that share data
- Data backup plan
- Disaster recovery plan
- Physical security, Visitors, Maintenance