(click here to return to HIPAA main page)

Health Insurance Portability and 
Accountability Act (HIPAA)

FAQ:  Frequently Asked Questions

Put off and delayed, some might even say ignored due 
to the healthcare's recent focus on Y2K, the Health 
Insurance Portability and Accountability Act or HIPAA, 
has now achieved critical status for the industry. Once 
U.S. policy makers begin introducing final HIPAA 
regulations, most healthcare organizations will have 
twenty-four months to comply with rules that will 
fundamentally affect many of the ways healthcare 
conducts its business.

The Health Insurance Portability and Accountability Act 
or HIPAA will:

• Change the way healthcare organizations 
  exchange electronic health care data;
• Establish new standards for (1) administrative 
  health care transactions, (2) procedure and 
  diagnosis coding and (3) identification numbers 
  for providers, insurers and individuals;
• Create new security rules to ensure the safety and 
  privacy of individually identifiable healthcare 
  information and records.

Passed in 1996, HIPAA is designed to protect 
confidential healthcare information through improved 
security standards and federal privacy legislation. It 
defines requirements for storing patient information 
before, during and after electronic transmission. It also 
identifies compliance guidelines for critical business 
tasks such as risk analysis, awareness training, audit 
trail, disaster recovery plans and information access 
control and encryption.

These security standards for information access control 
and encryption may have the most significant impact on 
how the industry conducts its business.

There are more than sixty-eight information security 
conditions in three areas that must be met to ensure 
compliance with HIPAA. These areas are:

• Technical Security Services: user authorization 
  and authentication, access control and encryption
• Administrative Procedures: formal security 
  planning, record maintenance and audits
• Physical Safeguards: security to building, privacy 
  for office and workstations that handle patient 
  information

Many experts in the industry estimate that the impact and
cost of HIPAA and the organizational changes required 
for implementation will significantly dwarf the expense of 
preparing for Y2K. Additionally, unlike one-time Year 
2000 preparations, information security will become an 
annual IT budgetary cost for training, evaluating, 
inspecting and updating security systems and policies.

Additionally, failure to achieve compliance with 
HIPAA could find hospital executives, physicians 
and others facing fines of up to $25,000. Certain 
criminal violations could cost individuals and 
organizations $250,000 and up to 10 years in jail!

Final costs for compliance will largely depend on 
whether an organization's current information systems 
are capable of accommodating the regulation's 
encryption and standardization requirements. HIPAA 
may require system replacements if they are unable to 
manage the new functional requirements. Rules 
regarding the development, verification and security of 
electronic signatures may prove particularly problematic 
for some existing systems.

(return to top of page)

At the core of the new regulations are requirements to 
systemize, expedite and protect the electronic transfer 
of healthcare information. These include:

• standards for the electronic transmission of 
  financial and administrative information
• standard codes for identifying medical diagnoses 
  and procedures
• a 10-digit numeric ID known as a National Provider
  Identifier issued to every provider organization
• a nine-digit numeric ID issued to each employer to 
  use in all HIPAA-governed administrative and 
  financial transactions
• thirty-four specific security measures that providers
  must adopt in order to protect patient-identifiable 
  healthcare information
• additional rules that will specify how and under 
  what circumstances, healthcare information can be
  used and shared

(return to top of page)

The new standards are being developed to protect the 
confidentiality, integrity and availability of individual 
health information.

(return to top of page)

There were no existing standards that provided 
comprehensive and uniform protection of individual 
health information. HIPAA's new security standards will 
permit appropriate access and use of an individual's 
health information by health care providers, 
clearinghouses, and health plans while providing 
appropriate safeguards against misuse and 
dissemination. HIPAA will also mandate a new 
electronic signature standard for healthcare 
organizations when an electronic signature is employed 
in the transmission of a HIPAA standard transaction.

(return to top of page)

The Electronic Signature Standard will provide a reliable
method of assuring message integrity, user 
authentication and non-repudiation.

(return to top of page)

The standards require safeguards for the physical 
storage and maintenance, transmission, and access to 
individual health information. Implementation will depend 
upon the individual organization, its existing technology 
and the risks to and vulnerabilities of the information it 
must protect.

(return to top of page)

All healthcare providers, healthcare clearinghouses and 
health plans that electronically maintain or transmit health
information pertaining to an individual must comply with 
the standards.

(return to top of page)

Any healthcare provider, health care clearinghouse, or 
health plan that employs an electronic signature in the 
transmission of one of the transactions adopted under 
HIPAA. The electronic signature standard applies only to
the transactions adopted under HIPAA.

(return to top of page)

No. The security standard applies to all individual health 
information that is maintained or transmitted. This is 
much broader than the specific transactions currently 
defined in the law.

(return to top of page)

No. At this time, none of the transactions adopted under 
HIPAA requires an electronic signature.

(return to top of page)

No. The standards apply to individual health information 
in electronic form only.

(return to top of page)

No. The Security Standard is "technologically neutral" in 
order to facilitate use of the latest and most promising 
technologies that meet the needs of different healthcare 
organizations. The security standard is a compendium of
security requirements that must be satisfied. While all 
organizations will be required to meet the basic 
requirements, particular solutions will likely vary based 
upon organizational size and complexity.

(return to top of page)

The proposed security standard does not require 
extraordinary measures. It involves taking actions that 
assure the security of the information to be protected. 
The standard does not dictate specific technologies. 
The requirements of the standard may be implemented 
in a number of ways, depending upon the security needs
and technologies in place at each business and upon 
agreements among businesses that work together.

(return to top of page)

According to HHS rules, the implementation deadline 
will be two years and two months after the final HIPAA 
regulations are released.

It is not yet certain as to how the privacy regulations will 
ultimately be interpreted and enforced by the Health 
Care Financing Administration.

(return to top of page)

We can identify three important potential benefits.

• The standardization of electronic data interchange
  may significantly improve information transfer 
  between payer and provider.
• Codification of electronic data standards may 
  position providers to efficiently move their 
  services onto the Internet
• It provides healthcare organizations with an 
  opportunity to streamline and simplify their 
  operations and infrastructure thereby providing a 
  significant potential for savings. For example, a 
  large amount of physician practice time is 
  currently spent on administrative processing. We 
  expect that administrative needs may significantly 
  decrease with implementation of HIPAA 
  standards.

(return to top of page)

(return to top of page)

(click here to return to HIPAA main page)