Protecting Medical Records – HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) of 1996, which affects all health-related organizations in the United States, was originally intended to protect health insurance information when workers changed or lost their jobs. In 2005, in response to the maturation of the Internet as a medium for data interchange, HIPAA expanded its charter and adopted a new set of standards for the electronic maintenance and transmission of protected health information (PHI) – information about the health status, provision of health care, or payment for health care that can be linked to a specific individual.. HIPAA is administered by the U.S. Department of Health and Human Services.

To assure the security of patient-related data, HIPAA regulations require health plan administrators, healthcare clearinghouses, and healthcare providers to protect and secure any individually-identifiable health-related information including that which is stored or transmitted electronically. To ensure the confidentiality, integrity, and availability of electronic protected health information (ePHI), HIPAA provides a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual. Specifically, health care organizations are required to ensure the confidentiality, integrity, and availability of all electronic protected health care information; to protect against threats to the security or integrity of such information and against unauthorized disclosure or use of protected health care information; and to educate the entire workforce on achieving compliance. HIPPA distinguishes between safeguards that are “required” (i.e., must be implemented) and others that are “addressable” (i.e., do not have to be implemented if the organization can document why the specification is not reasonable or appropriate to its circumstances).

The penalties for violating HIPAA requirements can be quite severe, for example:

  • Each instance of unauthorized disclosure by a health care provider is punishable by fines ranging from $10,000 to $25,000
  • Each instance of intentional unauthorized disclosure is punishable by fines ranging from $100,000 to $250,000 and possible jail time
  • Although certainly not part of HIPAA itself, the most severe penalty of all might be exposure to lawsuits from the individual whose private medical information is revealed in violation of HIPPA requirements

In 2013 the HIPAA regulations were amended. One of the provisions is the requirement that vendors and others who work with or have access to protected information are also responsible and accountable to meet the security standards of HIPAA.