What is HIPAA? (part 1)

Editor's Note: To understand how the changes in HIPPA affect Domino and Notes administrators, view Chuck's tip on "Conducting a HIPAA audit".

You may have seen newspaper stories recently about changes to privacy regulations for health care organizations. These new regulations went into effect on April 14 and are causing large amounts of confusion at doctors' offices, insurance companies, HMOs, and even florists who deliver to hospitals. The privacy rules are part of a large, complex federal law called the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

This article summarizes the various aspects of HIPAA and shows how it has affected (and will affect) computer operations at any organization involved with health care, which is a very large segment of the economy.

HIPAA has five general provisions…

Insurance Reform – This portion of HIPAA relates to how health insurance is handled when someone changes jobs or loses their job. It helps you to maintain continuous health coverage during career transitions.

Transactions and Code Sets – This portion of HIPAA standardizes the way that medical information is formatted and transmitted electronically. There are now a huge number of incompatible formats for storing health information on computers, and this part of HIPAA attempts to solve that problem.

Identifiers – This is a national registry of identification numbers for health care organizations, so the organizations can communicate with each other unambiguously.

Privacy – This part of HIPAA governs how the health care industry should handle your confidential health information. In theory, the rules are quite simple: No one should see your medical information, except for you and people who need to see it to give you good care. In practice, the rules are causing lots of problems. Here are some examples.

Security &ndash

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Spam and Security Securely connect Lotus Domino servers on different domains Protect Lotus Notes from malicious code with the Domino ECL How to correct Lotus Notes public key mismatches in four easy steps A recipe for secure IM success Telecommuter security kit Spear phishing: Don't be a target FAQ: Lotus Notes Domino password issues Security awareness training: How to educate employees about spyware Seven tips to strengthen your Domino e-mail security Admin2005 preview: Tips, techniques, and a look at Notes/Domino Rel. 7 Lotus Notes Domino Policy Management IT governance in an IBM Lotus software environment Pen testing your VPN VPN clients for mobile devices Restraining the monsters behind Lotus Notes' 'Full Access Administrator' Getting past expired IDs Creating a single sign-on for .NET and Lotus Notes Setting corporate mail file size policies on NSF files Why hidden paragraphs on a form are not a real security measure Encryption and privacy in Lotus Notes Domino E-mail authentication: Holy Grail or lost cause?

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

; This set of HIPAA regulations takes effect in two years. Up until now, health care organizations have been focusing on the privacy rules. But now that the privacy deadline has past, computer security is the next area that organizations will turn to. The security requirements are quite extensive, with a wide variety of interpretations about what they mean. Some of the regulations are marked as "required", while others are "addressable." Addressable means that you are not required to do it, but if not you must explain why not or provide an alternative. The regulations are also divided into "administrative", "physical", and "technical" areas. Within each area, there are "standards" and "implementation specifications." There is a lot to learn, and the time to begin preparing for this deadline is now. No organization can meet the HIPAA security requirements with a couple months effort.

(For more details about the security rules, and how they affect Domino/Notes systems, see my companion article Conducting a HIPAA Security Audit . The article includes a downloadable Notes tool to help with these audits.)

The first provision of HIPAA (insurance reform) is Title I of the act. The last four provisions are collectively known as Title II or Administrative Simplification. The term "simplification" is quite humorous however, since everyone involved in health care has been pulling their hair out trying to figure out how to meet the requirements. They are anything but simple!

All of the provisions -- particularly Transactions and Code Sets, Identifiers, and Security -- will have a large impact on any computer system within the health care world. What many people do not appreciate about HIPAA however, is how far the "health care world" extends. Some examples:

Spending on health care in the United States is now greater than $1.3 trillion per year, and it accounts for more than 13% of our gross domestic product. This is a very big industry, which uses lots of computers. Most of these computers will be affected by the HIPAA regulations in some way. All data processing professionals should spend some time gaining a general understanding of HIPAA, since we are all likely to run into this law in some way in the near future.

Chuck Connell is president of CHC-3 Consulting , which helps organizations with all aspects of Domino and Notes. He also performs HIPAA security audits through his web site HipaaSecurityExperts.com .