The Health Insurance Portability Accountability Act, better known as HIPAA, was passed in 1996 by the US Department of Health and Human Standards (HHS) to ensure the privacy and security of confidential patient health information. The Act mandates that all Covered Entities (CEs) must implement ‘reasonable and appropriate’ procedures for securing patient health information from security breaches, impermissible uses and/or disclosures, with severe penalties mandated to punish non-compliance.
In March, Atlanta's Piedmont Hospital became the first institution in the country to be audited for compliance with the security rules of HIPAA. The audit was conducted by the office of the inspector general at HHS and is being seen by some in the healthcare industry as a precursor to similar audits to come at other institutions.
A number of HIPAA requirements are focused towards the integrity of electronic protected health information (ePHI) – any personally identifiable health information that is handled electronically, including:
- Controlling access to ePHI
- Monitoring and auditing access to ePHI
- Diagnosing potential security problems
- Retaining records of access for a set period of time
- Demonstrating to independent reviewers the processes that fulfill the requirements above.