The Health Insurance Portability and Accountability Act (HIPAA) was created to satisfy three objectives:
Administrative Simplification began as President George Bush, Sr. assembled a group of healthcare industry leaders to discuss the reduction of healthcare administration costs; increased electronic data interchange (EDI) was the overwhelming answer. Faced with resistance in Congress, the Act only passed with extensive industry support.
The Department of Health and Human Services (DHHS) defines the purposes of the Administrative Simplification rule thusly:
[65 Fed. Reg. 82463 (December 28, 2000)]
Three Major Elements of Administrative Simplification
The Standards for Electronic Transactions and Code Sets
The cost of administration in the healthcare industry is very high. Providers, insurers, health plans, and others have utilized many different electronic data formats and transmission requirements. This complex web of data interchange has resulted in delays, confusing rejections, bureaucratic authorization processes, and low levels of remittance. The creation of national conformance standards covering the most routine electronic transmissions has the potential of reducing the resources – financial, time, and human – necessary to do business in the healthcare industry, as well as enhance the effectiveness of the intended transactions. The Standards for Electronic Transactions regulation has established mandatory transaction and coding requirements for defined electronic transactions. Providers are able to submit standard transactions to health plans and payers that have to accept them. Hence, electronic data interchange enables healthcare facilities to pursue the most effective and efficient use of modern information technology in the administration of their organizations.
Congress also recognized the power of modern information technology. Continually advancing technology enables the collection and aggregation of large quantities of data in any desired format or structure; subjects these data to endless permutations of sorting, filtering, and analysis; and the instantaneously widely distributes the raw data or analysis results – all without significant human thought. Hence, the need to protect the privacy and security of patient health information is unquestionable.
The Security and Electronic Signature Standard (“Security”) and the Privacy of Individually Identifiable Health Information Standard (“Privacy”) comprise a team of regulations intended to protect patient health information. Privacy defines the permissible means of access, use, and disclosure of the applicable patient information, while Security governs the operational, physical, and technical mechanisms necessary to protect this information.
Standards for Privacy of Individually Identifiable Health Information
The Privacy rule is intended to prevent the unreasonable offense against patient’s interest in restricting unnecessary knowledge or dissemination of personal information provided or accumulated to assist in their diagnosis or treatment. The specific requirements restrict access, use, or disclosure of personal patient information to those legitimately involved in the patient’s treatment, the healthcare facility’s required operations, and billing for the treatment.
Security and Electronic Signature Standards
The Security rule is intended to ensure that organizations that hold personal patient information provide operational, physical, and technical protections to support privacy restrictions. That is, the organization must create a comprehensive system of operational, physical, and technical protections to prevent unintended access, use, and disclosure of protected information. Security refers to protections at three levels: