Skip to main content

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act of 1996 (Aug. 21), Public Law 104-191, amends the Internal Revenue Service Code of 1986. It is also known as the Kennedy-Kassebaum Act.

Title II includes a section, administrative simplification, requiring:

  • Improved efficiency in healthcare delivery by standardizing electronic data interchange.
  • Protection of confidentiality and security of health data through setting and enforcing standards.

HIPAA calls for:

  • Standardization of electronic patient health, administrative and financial data.
  • Unique health identifiers for individuals, employers, health plans and healthcare providers.
  • Security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present or future.

The bottom line: sweeping changes in most healthcare transaction and administrative information systems.

Who is Affected?

All healthcare organizations are affected. This includes all healthcare providers, even one-physician offices, health plans, employers, public health authorities, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations and universities.

How are We Affected?

Broadly and deeply. Required compliance responses aren't standard, because organizations aren't. For example, an organization with a computer network is required to implement one or more security authentication access mechanisms—user-based, role-based, and context-based access—depending on its network environment.

Effective compliance requires organization-wide implementation.

Steps include:

  • Building initial organizational awareness of HIPAA.
  • Comprehensive assessing of the organization's information and security systems, policies and procedures.
  • Developing an action plan with deadlines and timetables.
  • Developing a technical and management infrastructure to implement the plan.
  • Implementing a comprehensive action plan, including:
    • Developing new policies, processes and procedures.
    • Building "chain of trust" agreements with service organization.
    • Redesigning a compliant technical information.
    • Purchasing new, or adapting, information systems.
    • Developing new internal communications.
    • Training and enforcement.