- What is HIPAA?
- Who will enforce HIPAA Security?
- What is the purpose of the HIPAA Security Standards rule and Why were security standards needed as published in the Federal Register on February 20, 2003?
- Why is there not a mandatory requirement to use encryption for transmissions over the Internet?
1. What is HIPAA?
HIPAA is an acronym for Health Insurance Portability and Accountability Act. This is a Federal law with several titles for implementation. Title I of the law allows persons to qualify immediately for comparable health insurance coverage when they change their employment relationships. Title II, Subtitle F, of HIPAA gives HHS the authority to mandate the use of standards for the electronic exchange of health care data; to specify what medical and administrative code sets should be used within those standards; to require the use of national identification systems for health care patients, providers, payers (or plans), and employers (or sponsors); and to specify the types of measures required to protect the security and privacy of personally identifiable health care information. Also known as the Kennedy-Kassebaum Bill, the Kassebaum-Kennedy Bill, K2, or Public Law 104-191.
2. Who will enforce HIPAA Security?
The Department of Health and Human Services (HHS) has determined that CMS will have responsibility for enforcing the transactions and code set standards, as well as security and identifiers standards when those are published . As of 2004, both security and identifier standards have been published. CMS will also continue to enforce the insurance portability requirements under Title I of HIPAA. The Office for Civil Rights in HHS will enforce the privacy standards.
3. What is the purpose of the HIPAA Security Standards rule & why were security standards needed as published in the Federal Register on February 20, 2003?
The purpose of this Security Standards rule is to adopt national standards for safeguards to protect the confidentiality, integrity, and availability of electronic protected health information. They were needed because there were no standard measures existing in the health care industry that addressed all aspects of the security of electronic protected health information while it is in use, in storage, or during the exchange of that information between entities. HIPAA mandated security standards to protect an individual's health information, while permitting the appropriate access and use of that information by health care providers, clearinghouses, and health plans.
4. Why is there not a mandatory requirement to use encryption for transmissions over the Internet?
There remain significant financial and technical burdens associated with using encryption tools. Particularly when considering situations faced by small and rural providers, it is clear that there is not yet available a simple and interoperable solution to encrypting e-mail communications with patients. As a result, CMS decided to make the use of encryption in the transmission process an addressable implementation specification.