HIPAA (Health Insurance Portability and Accountability Act) —The act (law) on the mobility and accountability of health insurance was adopted in 1996.
This document provides guidance on the application of the Health Insurance Information Protection and Liability Act (HIPAA) requirements and sets out how such protected health information (PHI) must be stored, used, shared and disclosed.
The confidentiality rules of this HIPAA manual are intended to provide comprehensive protection of the confidentiality of information about the physical and mental condition of patients, without affecting the treatment plan, the work of healthcare facilities or the quality of treatment.
The privacy policy applies to organizations that primarily consist of health care providers and healthcare professionals that communicate information about a patient’s condition in an electronic format, manage protected health information (PHI) and/or personally identifiable information (PII) about patients in the course of providing healthcare services, or payment for such services. Examples of organizations covered by the HIPAA:
- Healthcare providers, including doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, transmitting any information electronically in connection with transactions for which the U.S. Department of Health and Human Services (HHS) has adopted the standard.
- Health insurance program, including health insurance organizations, health care organizations, corporate health insurance programs, state health care payment programs.
- Medical information services, including organizations that process non-standard medical information received by them from other organizations, translating it into a standard form (i.e. into a standard electronic format or content) or vice versa.
In order to comply with the HIPAA Safety Rule, covered organizations must comply with six basic administrative safeguards, each of which includes several standards and implementation conditions:
- Security Standards – General Requirements for Proper Protection of Protected Health Information in Electronic Form.
- Administrative safeguards – actions and policies, as well as management procedures aimed at protecting confidential medical information in electronic form, as well as managing the behavior of employees of covered organizations in relation to the protection of such information.
- Physical safeguards – «physical measures, policies and procedures aimed at protecting the electronic information systems of the covered organizations, relevant buildings and equipment from natural and environmental hazards and unauthorized entry».
- Technical safeguards are defined as technology and the policies and procedures for its use.
- Organizational requirements include standards aimed at ensuring that proper safeguards are in place for business partners and all other persons to whom confidential medical information is provided electronically.
- Policies, procedures and documentation requirements ensure that the covered organizations have official plans (i.e. policies, procedures and documents) for the rational and appropriate implementation of security measures in relation to classified medical information in electronic form.