Regulation Summary
The Health Insurance Portability and Accountability Act of 1996 and its Security Rule establish requirements for safeguards to protect the confidentiality, integrity, and availability of electronic protected health info rmation. HIPAA applies to virtually all healthcare organizations - including all health care providers, health plans, public health authorities, healthcare clearinghouses, and self-insured employers - as well as life insurers, info rmation systems vendors, various service organizations, and universities.
The Administrative Simplification section of HIPAA resulted in several rules, including the Security Rule. The final Security Rule was published on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
HIPAA requires covered entities to:
Ensure the confidentiality, integrity, and availability of all electronic protected health info rmation (ePHI) the covered entity creates, receives, maintains, or transmits
Protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI
Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule
Ensure compliance by their workforce.
HIPAA calls for severe civil and criminal penalties for noncompliance, including: fines of up to $25K for multiple violations of the same standard in a calendar year; fines of up to $250K and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information.