HIPAA: Frequently Asked Questions (FAQ)

1. What is HIPAA ? [to top]
HIPAA stands for the Health Insurance Portability & Accountability Act. The Health Insurance Portability and Accountability Act of 1996 is designed to protect health insurance coverage for workers and their families when they change or lose their job. The requirements of HIPAA apply to the storage and/or electronic transmissions of patient related information, and are intended to ensure patient confidentiality for all health care related information. Title I of the law addresses continuous group health insurance coverage for individual workers changing their place of employment. Title II includes an Administrative Simplification section that requires establishing standards to ensure the security, confidentiality, and integrity of healthcare transactions involving patient identifiable information.

2. When must organizations comply with HIPAA ? [to top]
President Bush put the final ruling on the HIPAA Privacy Rule to go into effect on April 14, 2001. As a result, covered entities will be required to comply with the provisions of the rule by April 14, 2003. Standards are required to be implemented within 2 years of the effective date of the final rule. The first set of rules pertaining to security requirements released by Health & Human Services (HHS) under the provisions of HIPAA was Dec. 20, 1999 and the first draft final ruling was issued December 20, 2000. Most of the transactions and code sets are now expected to be in final form sometime in the middle of 2001. The dates for Employer and Provider identifier rules have not been specified as of yet.

3. What kind of organizations are affected by HIPAA? [to top]
Any organization that accesses, stores, maintains, or transmits patient identifiable information or health care records are affected. Typically, heath care providers, hospitals, health plans & insurers, and health care clearinghouses are covered organizations under HIPAA and the security rulings.

4. Do the HIPAA security requirements cover only the electronic transmission of patient identifiable information or data? [to top]
Originally, HIPAA had only addressed the electronic transmission of patient identifiable data but did not address the real issue of health care records privacy. Provisions under HIPAA called on Congress to enact comprehensive national health care records privacy standards by Aug. 21, 1999. When Congress failed to meet this deadline, the Dept. of Health & Human Services (HHS) was given the task to issue the regulation. HHS came out with the first draft of the regulation in Nov. 1999 and the final ruling came out Dec. 20, 2000 under the provision of HIPAA. The ruling states that it is the responsibility of organizations that are entrusted with health information to protect it against deliberate or inadvertent misuse or disclosure. The final regulation requires covered organizations to establish clear procedures to protect the confidentiality, security, and integrity of the transmission of patient identifiable data/records regardless of the media form whether electronic, paper based, or by voice messaging.

5. What are the original security standards for HIPAA? [to top]
The security standards in HIPAA are to address administrative procedures, physical safeguards, technical security services, and technical security mechanisms to guard data integrity, confidentiality, and controlled accessibility of patient identifiable health information/data and records.

6. Has there ever been any sort of standard before to protect the privacy of patient records? [to top]
No. This is the first time ever on a national scale that a standard has been released to protect the privacy of personal health records. It is the first time that the required procedures will be mandated to protect the most sensitive personal information, an individuals patient identifiable health information, will be enforced at the local as well as the federal level for non-compliance.

7. When is the compliance deadline? [to top]
The first transaction standards for the EDI rule of HIPAA was published in the Federal Register on August 17, 2000 with a compliance deadline of October 16, 2002. The privacy rule was published on December 28, 2000. Its compliance date is February 14, 2003..

8. What will happen if I do not comply? [to top]
Penalties may be imposed if the HHS Office of Civil Rights determines that an individual's right to privacy has been violated. EDI rule violations will be reported the Secretary if HHS. The rule provides for civil penalties of $100 per violation up to a maximum of $25,000 per year. When violations are with the intent to sell, transfer, or use individually identifiable information for commercial advantage, personal gain, or malicious harm, criminal penalties ranging from $50,000 and one year in prison to $250,000 and ten years in prison may be imposed.

9. Why were new Security and Electronic Signature standards needed as part of compliance with HIPAA regulations? [to top]
No existing standard provides uniform, comprehensive protection of individual health information. HIPAA mandates new security standards to protect an individual's health information, while permitting the appropriate access and use of that information by health care providers, clearinghouses, and health plans. HIPAA also mandates that a new electronic signature standard be used where an electronic signature is employed in the transmission of a HIPAA standard transaction.

10. What electronic healthcare transactions are affected by HIPAA regulations? [to top]
Based on current information, eleven transaction standards are scheduled for implementation:
Health Care Claim (837) Coordination of Benefits (837) Payment and Remittance Advice (835) Electronic Funds Transfer Claims Status Inquiry/Response (276/277) Eligibility Inquiry/Response (270/271) Health Care Service Review (278) Patient Information Attachment (275) Enrollment (834) Premium Payment (820) First Report of Injury.
Organizations need to thoroughly assess their transaction systems to assure a smooth transition to mandated transaction standards. Start now to review your current systems and developing proper procedures.

11. What is the purpose of the new Security and Electronic Signature standards of HIPAA? [to top]
The new standards have been developed to protect the confidentiality, integrity, and availability of individual health information.

12. What problems do these standards address & solve? [to top]
The new Security Standard will provide a standard level of protection in an environment where health information pertaining to an individual is housed electronically and/or is transmitted over telecommunications systems/networks.
The Electronic Signature Standard will provide a reliable method of assuring message integrity, user authentication, and non-repudiation.

13. How will the standard protect individual health information? [to top]
The standard mandates safeguards for physical storage and maintenance, transmission, and access to individual health information.

14. How will the new standard be implemented? [to top]
Implementation will depend on a number of factors to include: the configuration of the entity implementing it, the technology that is deployed, and the risks to as well as the vulnerabilities of the information it must protect.

15. Do security requirements apply only to the transactions adopted under HIPAA? [to top]
No. The security standard applies to individual health information that is maintained or transmitted beyond only those transactions adopted under HIPAA. This is a much broader scope than the specific transactions defined within HIPAA. The electronic signature standard applies only to the transactions adopted under HIPAA.

16. Who must comply with the Electronic Signature standard? [to top]
Any health care provider, health care clearinghouse, or health plan that employs an electronic signature in the transmission of one of the transactions adopted under HIPAA.

17. Do the Security Standards apply to hardcopy, e.g., paper documents or records, as well as to electronic information? [to top]
Yes. The security standards apply to the privacy of health care records in any form whether electronic, paper based or voice communications/messaging. It applies to the access of, storage, maintenance, and transmission of individual identifiable health information.

18. Why doesn't the Security Standard select specific technologies to be used? [to top]
To select a specific technology to satisfy the security requirements found in HIPAA would tend to bind the health care community to systems and/or software that may soon be superseded by rapidly developing technologies and improvements. The Security Standard was developed with the intent of remaining "technologically neutral" to facilitate adoption of the latest and most promising developments in this dynamic field and to meet the needs of health care entities of different size and complexity. The security standard is a compendium of security requirements that must be satisfied. The particular solution will vary from business to business but each will meet the basic requirements for secure electronic access, storage, and transmission of patient identifiable information.

19. How could a small provider implement the security standard? [to top]
The proposed security standard does not require extraordinary measures to implement. It involves taking actions that a prudent person would agree were necessary to ensure the privacy and security of the information to be protected. The standard does not dictate specific technologies. The requirements of the standard may be implemented in a number of ways, depending upon the security needs and technologies in place at each business and upon agreements among businesses that work together.
The Notice of Proposed Rule Making (NPRM) includes an example to illustrate the manner in which a small provider might implement the standard. We expect that those required to implement the standard would first assess their security risks and vulnerabilities and the mechanisms currently in place to mitigate those risks and vulnerabilities. Following this assessment, they would determine what additional measures, if any, need to be taken to meet the security requirements.

20. Is there are a website that provides accurate definitions of all this HIPAA terminology (I.e. Chain of trust, Clearinghouses, etc...) [to top]
The Security NPRM, (available at http://aspe.os.dhhs.gov/admnsimp/index.htm) has a comprehensive glossary of terms, including acronyms, in Addendum 2, starting on page 43271 of the Federal Register.

21.My company is installing a Virtual Private Network that may not meet the 128-bit encryption standard. As an internal auditor, I am concerned that we would not be "HIPAA compliant" in using a lesser standard in "electronically" transmitting patient identifiable information. I was told that according to the vendor, HIPAA compliance only applies to patient information sent over the internet. This is contrary to my understanding. Is the vendor correct and I am I being overly cautious? Or if the company buys a product based on a vendor interpretation of the regs. Does the company have any recourse if later found out of compliance? [to top]
Please do not depend on your VPN vendor's interpretation of the HIPAA Security NPRM. They are dead wrong in any interpretation that "HIPAA compliance" is only for Internet transmission of patient information. It is up to your organization to understand the HIPAA regulations, develop policies and procedures appropriate for your organization and ensure that you have adequate technologies to support your policies & procedures. If you choose a vendor product that does not support your policy & procedures, then you have a problem - not the vendor.

22. Is encryption technology use mandated under HIPAA for the transmission of patient information over a network and is there an encryption key level requirement. [to top]
Under the HIPAA Security NPRM, encryption is only required for open networks (e.g. non-private, Internet, dial-up, etc.) - all other implementations of encryption are optional. Neither does the HIPAA Security NPRM mandate a specific level of encryption or type of algorithm. The guidance on minimum encryption levels were established as part of the HCFA Internet Policy, published November 1998 which details requirements for transmission of patient information over the Internet. Those levels are 112 bit symmetric (3-DES), 1024 bit asymmetric and 160 bit elliptical key.

23. Are there any products out there that are HIPAA compliant? [to top]
No. There is no such thing as HIPAA compliant software or hardware. There are not going to be any magic product fixes for HIPAA security compliance. There are good technology products that can help us implement and enforce policies and procedures; however, these products (software or hardware) in and of themselves cannot be HIPAA compliant. It is the organization that is compliant - not the technology or product. A product that may be great for one organization may not fit in another one.

24. What steps should a healthcare organization take now to prepare to be HIPAA compliant? [to top]
Be proactive; obtain executive management commitment to an organization-wide HIPAA compliance Program. Review the organization's strategic and financial plan; allocate resources for the upcoming years. Consider establishing a program management position similar to that established for Y2K. Initiate discussions with your IT partners on HIPAA and how to assess your organization's current performance relative to new standards. Obtain subject training for key executives, information management and IT professionals on the subject.

25. What information would be useful to brief the organization's executives on the scope of HIPAA? [to top]
HIPAA compliance will be a multi-year, large cost, institution-wide effort that will be required by Federal law, Federal regulation, and related regulatory and accreditation bodies within the next 2-4 years. The effort for most healthcare organizations will be on a par with Y2K preparations.

26. Isn't it just an IT issue to get HIPAA compliant or implemented? [to top]
HIPAA compliance in protecting the privacy of patient identifiable information and records is just good business practices and is better focused as a business issue. Although IT will play a major role in implementing compliant systems, it is much more than an Information Technology issue. Implementing HIPAA will affect how healthcare organizations make adjustments to staffing requirements and revisions of policies, procedures, and processes to achieve and monitor compliance with patient privacy & confidentiality needs. Large and medium sized organizations will need executive sponsorship and dedicated resources to lead the HIPAA compliance effort. Compliance-related activities may compete with other major projects but HIPAA requirements are meant to encourage healthcare organizations to move patient information handling activities from manual to electronic systems in order to improve security, lower costs, and improve the quality of patient information management.

27. What are the consequences or penalties for non-compliance with HIPAA? [to top]
Failure to comply will result in significant monetary penalties. The consequences of knowingly disclosing individually identifiable patient information are criminal penalties.

28. How will HIPAA effect claims management? [to top]
HIPAA's requirements may cause significant changes in process, organization, and/or staffing in the area of claims management.

29. What are the IT issues for enabling the organization's compliance with HIPAA? [to top]
HIPAA mandates will require substantial changes in the policies, processes and administration governing patient specific health information. Similarly, it will require updates of all information systems that use or collect patient data, and will require the introduction of new features and functions.
Implementing HIPAA will improve security of healthcare information. Patient privacy and the security of all medical records will be more routinely assured. Information systems will have an improved general resistance to operational disruptions. It may be useful to consolidate off-network medical record information to a secure network.
Because HIPAA covers all healthcare organizations, compliance itself is substantially a non-competitive issue. Coordinating and co-implementing HIPAA mandated changes among providers, payers, and IT vendors (especially in claims management) will minimize the cost, confusion and disruption involved in the transition.

30. How will compliance with HIPAA standards be monitored? [to top]
Initially, organizations will use the competitive marketplace to mutually enforce compliance. Organizations will also find that electronic transmission of claims using standard transactions will improve cash flow, increasing the business reason for compliance. Accrediting and licensing organizations will also be incorporating compliance with the standards into their processes. JCAHO already references HIPAA standards in their 1999 Information Management standards. Ultimately, additional regulations will be developed to establish a compliance mechanism.

31. We do not exchange data electronically with other enterprises, only within our enterprise. We batch claims and mail a disk to the clearinghouse. Do the standards apply to us? [to top]
Yes, the security standards apply to exchange of all electronic health information within an enterprise as well as across enterprises. Transmissions over the Internet, an extranet, leased lines, dial-up lines, and private networks are included.
All media are included electronic or otherwise- even when the information is physically moved (e.g., through the postal service in paper form) from one location to another using magnetic tape, disk, or compact disc.
Telephone voice response and "faxback" systems are also included if patient identifiable information is involved.

32. How can I prepare information management systems for HIPAA? [to top]
Begin now to assess your readiness in order to avoid this becoming the next Y2K! Use the inventories of systems, networks, and devices you made for Y2K to assess the ability to adopt the new transaction standards, code set identifiers, and security requirements. Continue to maintain these inventories as you upgrade systems. Extend your business continuity planning for Y2K to managing security issues with HIPAA.
Conduct a risk analysis and weigh various means of implementing security in light of your potential liability and your ability to mitigate that risk. Contact the vendors of both your application systems as well as your hardware and networks to determine what already exists that can be "turned on," and how some security can be hard-coded to address multiple applications.
Assess your business partners' and affiliates' timelines for compliance with HIPAA to determine if it will be necessary to run parallel systems or use multiple identifiers for a period of time.