HIPAA: Security vs Privacy Issue

HIPAA is biggest driver of security technologies in the healthcare space. HIPAA (Health Insurance Portability and Accountability Act of 1996) was originally intended to protect the right to healthcare for workers when they changed or lost their jobs. A by-product for the technology industry was the recognition that HIPAA would place a large administrative burden on the healthcare system. As a result of this view, the Administrative Simplification set of provisions allowed for the creation of requirements to move a number of administrative healthcare functions online. In summary, these provisions included the following:

•Standards to enable electronic exchange transactions
•Creation of unique identifiers for individuals, employers, health plans, and health providers
•Sets of codes identifying specific medical services that can be used to simplify billing
•Security standards for the management of health information that describe how healthcare information and IT systems involved with that information are to be protected
•Use of digital signatures
•Ability to transfer information between health plans (to ensure continuity of coverage)

In order to accommodate the various players in the healthcare sector, standards and compliance vary depending on the participant and type of description. Healthcare plans and clearinghouses must comply with all of the security standards defined in the Administration Simplification provision. Because healthcare plans and clearinghouses deal with a large amount of confidential information, it is critical that they protect the data being handled. Healthcare providers are required to adhere to security standards if they manage or transmit personally identifiable healthcare information. “Personally identified healthcare information” refers to data that can be linked to a particular individual, such as a patient’s X-ray results. Nonpersonally identifiable information may be statistics that can characterize trends in the aggregate, for example.

Many people have referred to HIPAA as the next Y2K for the healthcare industry. In some sense, yes, the compliance date of 2002, with an extension to 2003 (with smaller organizations having until 2004 to reach compliance), does present a hard deadline for the healthcare industry. The main difference in this comparison is that Y2K is an event that has passed. HIPAA is an enduring standard that organizations must plan for not only in preparation for the compliance date, but on an ongoing basis. Consulting-based solutions, however, will not allow an organization to sustain compliance. An investment in a system based on PKI is necessary.

One important distinction HIPAA makes is in terms of security versus privacy. Providers were required to comply with all security standards for all healthcare information. On the other hand, providers were required to comply with privacy standards for only protected healthcare information. Providers that do not use electronic methods for exchanging HIPAA information may still be required to comply with security standards, but not necessarily with privacy standards.

So do you agree with this article? Full article taken from PKI Security Solution for the enterprise by Kapil Raina