Does HIPAA apply to me?

HIPAA applies to organizations called covered entities. Covered entities include all health plans, all healthcare clearinghouses and all providers who transmit HIPAA covered transactions. In February of 2003, the Final Rule adopting HIPAA standards for the security of electronic health information was published in the Federal Register. Among many other items, the standards called for appropriate measures to back up and store healthcare-related computer data files. Above the protestations of some members of Congress, the document specifically addressed the need of covered healthcare entities to back up their critical data stores, citing that the methodology and requirements would differ from one to another. In fact, the final security rule contains language making the implementation of a data backup plan a required portion of compliance with the rule, positioning backup as part of a 'required contingency plan' which also calls for a formal disaster recovery plan and an emergency mode operation plan. Further, the committee also listed data backup as 'addressable' in the Physical Safeguards section of the rule, meaning that the covered entity needs to adopt the implementation specification as written in the rule, adopt another equally secure standard or have a well documented reason (other than strictly the cost of implementation) why the addressable implementation specification will not be adopted.

It is clear that the intent of HIPAA, particularly the Administrative Safeguards and Technical Safeguards sections of the Final Security Rule, is to help insure that a covered entity's sensitive data stores are protected both technically and operationally from unauthorized access and usage, and to insure that they can be recovered in the event of the loss or destruction of host hardware or infrastructure.

The majority of HIPAA compliance activity manifests as sensible business practices - things like locked server room or datacenter doors, password protected databases, access and process control documentation, and formal plans for disaster recovery and business continuity.

It is important to note that many of the key measures extend not only to large health insurance companies, but to their business associates, participating physicians and clearinghouses as well. Also worth clarifying is that business associates are not covered directly by HIPAA regulations, but are covered by contract with the covered entities that they provide products and/or services for. Like it or not, HIPAA has helped to create healthier and more secure physician business processes. In the past, physicians were content and within guidelines to back up to tape drives located within their offices. The new HIPAA security standards, which officially took effect April of 2005, mandate that the physician be able to access the data in case of an emergency so that operations can continue. The same holds true for health plans and clearinghouses.

Ideally, physicians, other covered entities and their business associates should back up their data to an offsite and secure facility, so that perils to the physical office and hardware would not substantially affect their ability to quickly resume business with an accurate and secure data set. In a recent article in a prominent international medical journal, a leading provider of financial and technical services to smaller physician's offices listed the lack of a data backup plan as one of three key areas of non-compliance by these entities.

Why Comply?

What are the costs of non-compliance? Let's disregard for a moment the clear and serious business implications for any entity that is publicly accused or exposed as having mishandled sensitive patient data. Instead we'll concentrate on the stated fines and imprisonment sanctions that are spelled out for us within the Act itself. Per section 1177, fines for any covered entity that knowingly uses, obtains, or discloses personally identifiable health information to another person range from $50,000 to $250,000 per case, depending on the nature and circumstances surrounding the offense. Violators can also face jail time ranging from one to ten years in addition to the fines.