View Rule

Statement of Need: The Health Insurance Portability and Accountability Act of 1996 requires the Secretary of Health and Human Services to adopt security standards that require reasonable and appropriate administrative, technical and physical safeguards to (1) ensure the integrity and confidentiality of health information, (2) protect against any reasonably anticipated threats or hazards to the security or integrity of the information and protect against unauthorized uses or disclosures of the information. This rule stipulates the requirements necessary to comply with the law.

Summary of the Legal Basis: The Administrative Simplification provisions of HIPAA require the Secretary to establish standards for the security of health information use by health plans, health care clearing houses, and certain health care providers.

Alternatives: In the absence of federal regulations, the security of health care information in electronic form would be left to the private sector to develop. It is believed that this course of action would result in an extremely uneven level of protection (ranging from none to excessive) for electronic health information pertaining to individuals and make it difficult, if not impossible, to provide for privacy of this information.

Anticipated Costs and Benefits: As the effect of any one of the HIPAA standards is affected by the implementation of other standards, it is misleading to discuss the impact of one standard by itself. Therefore, an Impact Analysis on the total effect of all the standards was published in the proposed rule concerning the national provider identifier (HCFA-0045-P) which was published on May 7, 1998 (63 FR 25320). Security protection for health care information is not a "stand alone" type requirement. Appropriate security protections will be a business enabler, encouraging the growth and use of electronic data interchange. The synergistic effect of the employment of the recommended security practices, procedures and technologies will enhance all aspects of HIPAA's Administrative Simplification requirements.

Risks: The storage, handling and transmission of health information has long been a paper process. However, the transition from paper to electronic media has begun and is increasing at a rapid pace. This transition has brought on a significantly increased risk to the security and confidentiality of health information, particularly for information pertaining to individuals. This rule formally establishes a baseline set of requirements for security that must be adopted by health care providers, health plans and health care clearinghouses. Compliance with these requirements will greatly decrease risk to the security, integrity and confidentiality of health information.