, , , ,

The Health Insurance Portability and Accountability Act of 1996, known as HIPAA, was enacted on August 21, 1996, as an attempt to incrementally reform the healthcare system. The goal was to simplify and streamline the burdens of healthcare.

The original law had four key components:

• Insurance market reforms to limit exclusions for pre-existing conditions and to guarantee the renewal of group and individual insurance

• A Medical Savings Account demonstration project

• Expanded enforcement of fraud and abuse

• Administrative Simplification provisions mandating electronic handling of health insurance transactions

This law was sold mainly to ensure portability of healthcare plans but as with all massive federal legislation it blossomed into much more. The main emphasis when the bureaucrats began writing regulations was on privacy of individual’s health records and on electronic records. It included heavy fines and jail terms for violations of individual’s privacy. It applied to providers, insurance companies and governments that pay for healthcare services (Medicare and Medicaid for example).

The first civil money penalty imposed was to Cignet Health of Prince George’s County, MD. Cignet was fined $4.3 million for its HIPAA violation. An example of a government getting fined is the Alaska Department of Health and Human Services (DHHS). They agreed to pay the U.S. Department of Health and Human Services’ (HHS) $1.7 million to settle potential HIPAA violations. Alaska also agreed to take corrective action to improve policies and procedures to safeguard the privacy and security of its patients’ protected health information. Over the course of the investigation it was found that DHHS did not have adequate policies and procedures in place to safeguard electronic protected health information (ePHI). Further, DHHS had not completed a risk analysis, implemented sufficient risk management measures, completed security training for its workforce members, implemented device and media controls, or addressed device and media encryption as required by the HIPAA Security Rule.

Under HIPPA, if you host health information, you must have certain administrative, physical and technical safeguards in place. Technical safeguards require access control to allow only the authorized to access electronic protected health data. Access control includes using unique user IDs, an emergency access procedure, automatic log off and encryption and decryption. Network, or transmission, security is the last technical safeguard required of HIPAA compliant hosts to protect against unauthorized public access of ePHI. This concerns all methods of transmitting data, whether it be email, Internet, or even over a private network, such as a private cloud.

A supplemental act was passed in 2009 called The Health Information Technology for Economic and Clinical Health (HITECH) Act which supports the enforcement of HIPAA requirements by raising the penalties of health organizations that violate HIPAA Privacy and Security Rules. The HITECH Act was formed in response to health technology development and increased use, storage and transmittal of electronic health information.

So this begs the question. If there was ever a violation of HIPAA it is the ObamaCare website. We have learned that the website design was lacking any serious security design. And since this website has so many connecting fingers, NSA, IRS, HHS, etc, will individuals PHI really be protected? Physicians, hospitals and insurance companies are held to strict standards when it comes to individuals’ health information. Why shouldn’t the President, HHS and all involved be held to the same standard? It appears to me that this website is serious enough to illicit the maximum fine and maximum jail sentence, but for who? I’m thinking the President.