What is HIPAA?
   - Health Insurance Portability and Accountability Act
   - Enacted by Congress in 1996
   - Title I protects health insurance coverage when workers change jobs
   - Title II addresses Security and Privacy of Protected Health Information
   - Main parts are the Privacy Rule, Security Rule, and Enforcement Rule

The Privacy Rule
   - Effective April 14, 2003
   - Defines Protected Health Information (PHI)
   - PHI is information such as Name, Social Security Number, or Date of Birth, which could lead to identification of an individual member
   - Requires an Authorization or Subpoena for entities such as Sierra to disclose PHI
   - Requires entities to take reasonable steps to insure confidentiality

The Security Rule
   - Effective April 21, 2006
   - Requires three kinds of security safeguards needed for compliance:  Administrative, Physical, and Technical

Administrative Safeguards
   - Requires written policies to explain how the entity will comply with HIPAA
   - Highly recommends training employees who deal with PHI

Physical Safeguards
   - Requires controls to be in place to limit physical access to computerized data and networks.
   - Example: when a computer is retired, all PHI on the hard drive must be eliminated.
   - Example: Hard drives with PHI must be secured in a locked room with an alarm system.

Technical Safeguards
   - PHI must be encrypted if it travels over the Internet.  Example: SSL Encryption.
   - Networks holding PHI must be "hacker safe"
   - Must authenticate access, for example, with a UserID and Password.
   - Requires documented Risk Analysis and Risk Management programs.
   - Entities must carefully consider the risks of their operations.