What is HIPAA?
- Health Insurance Portability and Accountability Act
- Enacted by Congress in 1996
- Title I protects health insurance coverage when workers
- Title II addresses Security and Privacy of Protected Health
- Main parts are the Privacy Rule, Security Rule, and
The Privacy Rule
- Effective April 14, 2003
- Defines Protected Health Information (PHI)
- PHI is information such as Name, Social Security Number, or
Date of Birth, which could lead to identification of an individual member
- Requires an Authorization or Subpoena for entities such as
Sierra to disclose PHI
- Requires entities to take reasonable steps to insure
The Security Rule
- Effective April 21, 2006
- Requires three kinds of security safeguards needed for
compliance: Administrative, Physical, and Technical
- Requires written policies to explain how the entity will
comply with HIPAA
- Highly recommends training employees who deal with PHI
- Requires controls to be in place to limit physical access
to computerized data and networks.
- Example: when a computer is retired, all PHI on the hard
drive must be eliminated.
- Example: Hard drives with PHI must be secured in a locked
room with an alarm system.
- PHI must be encrypted if it travels over the
Internet. Example: SSL Encryption.
- Networks holding PHI must be "hacker safe"
- Must authenticate access, for example, with a UserID and
- Requires documented Risk Analysis and Risk Management
- Entities must carefully consider the risks of their