Issued in 1996 by the Health and Human Services (HHS) branch of the Federal Government, HIPAA is a set of national standards for the protection of certain health information: covered entities are held accountable for protected information. The major goal of the Act is to provide privacy of individuals’ health information and while allowing for the flow of said information to covered entities in support of health care services. Entities covered by the Rule are obligated to comply, and face real monetary penalties for failure to comply.� A sub group with in the HHS called the Office of Civil Rights (OCR) is in charge of implementing and enforcing the privacy rules including voluntary compliance and civil money penalties.
There are two specific regulations of interest to IT: the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule covers all protected health information (PHI) maintained by a covered entity, and the Security Rule covers the security of electronic PHI (ePHI) specifying five categories of required policies, procedures, and reporting mechanisms:
- Administrative Safeguards
- Physical Safeguards
- Technical Safeguards
- Organizational Requirements
- Policies and Procedures
Compliance with the Security Rule means implementing “reasonable and appropriate” measures.