HIPAA Regulations

HIPAA is the Health Insurance Portability and Accountability Act passed by Congress in 1996. This complex law regulates a number of healthcare areas, including portability of healthcare benefits, claims fraud and abuse, privacy of patient information, security of information systems used by healthcare organizations and simplification of electronic standards for administrative and financial transactions. The U.S. Department of Health and Human Services (HHS) is issuing many of the regulations required by the legislation. Individuals and organizations regulated by HIPAA include all healthcare providers, health plans and healthcare clearing houses.

Importance of HIPAA

One of HIPAA’ s most important requirements is that healthcare organizations must implement appropriate administrative, technical and physical safeguards to protect the privacy of patient information. Information subject to this requirement is called Protected Health Information or PHI and is defined as “any information which identifies or could be used to identify an individual and has anything to do with past, present or future physical or mental health conditions, care or payment for care”.

HIPAA and email

The requirement to protect the privacy of PHI extends to electronic transmission of PHI between two parties, such as an email message. HIPAA does not prohibit the use of email to communicate PHI, but the law requires the individuals and organizations it regulates to assess the risks of using email and to take steps to reduce or eliminate risks that using email, both internally and externally, poses. Those risks include unauthorized interception of messages in transmission and receipt of messages by unauthorized persons. Email over the Internet can be used as long as appropriate security procedures are established.

HIPAA and email usage

The Privacy Regulations and the Security Regulations apply to the use of email because of their requirement to safeguard PHI. The Privacy Regulations, which became effective on April 14, 2003, do not specify the exact safeguards that must be adopted to protect PHI. This decision is left to the informed, reasonable judgment of the healthcare organization based on the services it provides, the technologies it uses, the risks to PHI created by the use of those technologies, and the organization’s financial and administrative resources. Organizations are expected to take these kinds of factors into account to make “scaleable” decisions about the safeguards they will adopt. This means you may make compliance choices based on the size, budget and operational needs of your organization. The requirement for this kind of analysis is spelled out in more detail in the Security Regulations. The Security Regulations specifically require healthcare organizations to assess their PHI-related security risks, and implement appropriate safeguards to address those risks. These requirements apply to PHI in all electronic systems, including email. Covered Entities must comply with the Security Regulations by April 2005.

Safeguarding transmission of PHI

HIPAA regulations are specific about the end result required if you use email — health information sent via electronic means must be protected against unauthorized access. However, the regulations are less specific about the technologies to be used to accomplish this. No particular technology is required, so a wide variety of options have emerged, including closed networks, virtual private networks and various types of encryption services. Choosing among these alternatives is a matter of your properly informed business judgment, based on your particular circumstances, resources and needs.