HIPAA

Health Insurance Portability And Accountability Act (HIPAA): concept analysis

Health Insurance Portability And Accountability Act (HIPAA): concept analysis

In 1996? the federal Health Insurance Portability and Accountability Act (HIPAA) was adopted as a step toward reshaping government health care. Referred to as the HIPAA? it enables portability of health care insurance coverage for workers and their families when they change or lose their jobs? sets a standard or benchmark for safeguarding electronic and paper exchange of health information? and requires national identifiers for providers? health plans? and employers. The final policy implementation rule outlines the entities affected by the legislation as health care providers? health plans? health care clearinghouses? and vendors offering computer software applications to providers and those billing for health services (Health Privacy Project? 2002; Public Law 104-191 1996; Rules and Regulations? 2003; U.S. Department of Labor? 2005). Aside from the federal law? some entities and even states have set standards more stringent than those promulgated by the federal mandate (U.S. Department of Health and Human Services 2004; 2005a).

HIPAA conceptualized in a broader framework? can help nurses anticipate what path future health care legislation may take. Looking beyond the micro reasons for HIPAA-- a law to protect and secure personal health information--HIPAA can be conceptually defined as legislation in pursuit of reshaping the U.S. government? public? and private health care. It is important to reshape government? public health care agencies in particular. Bureaucracy has become inefficient? too often ineffective? paternalistic in decisions of health care? rowing instead of steering? and slow responding to the growing demands of the external environment? such as health care costs (Gore 1995b; Mitchell & Simmons? 1994; Osbourne & Gaebler? 1992). Consumers of public and private health care are becoming more sophisticated searching to become more involved as a decision maker in their personal care (Gore? 1994). Change is needed.

A common complaint about HIPAA is that the details tend to be fuzzy -- there's no product companies can buy to magically get compliant? and there's no sanctioned checklist to guide you to certification. This is? to a large extent? by design: One goal of HIPAA was to be a one-size-fits-all? technology-neutral regulation. Many information security pros enjoy this flexibility? while some wish for more guidelines. Whatever your stance? HIPAA requires that IT groups tailor a security program to their specific environments. To help? we pulled together 10 steps that should put companies well on their way to building a security program that will pass muster? just in case the feds come knocking. We've included the basics here; find an expanded version in our special InformationWeek Analytics HIPAA Alert.

Sounds basic? and most large organizations have designated an information security officer. But smaller shops may not recognize the value of having a single person responsible for coordinating all HIPAA activities. This doesn't mean the security official does all the work; rather? this is the person who tracks compliance requirements and brings projects to the internal groups responsible for implementation.

The essence of HIPAA is establishing a sustainable security management process ...