Articles

HIPAA - Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is very complex and comprehensive legislation intended to improve health care information "portability," privacy and security. The intended results of this act are to improve consistency in data coding and communications among providers, insurance companies and third parties payers (the "portability" issue); reduce insurance abuse and claim fraud; and assure that health care information is created, stored and shared appropriately.

MOREnet, as a service provider for University of Missouri Health Care, must be aware of HIPAA requirements as increasing amounts of health care data are transmitted over its network. Health care data may include patient records, test results, images or even real time diagnostic or treatment sessions. In particular, MOREnet needs to understand the security requirements for the transmission of health care information. One train of thought suggests that MOREnet just provides a "conduit" and simply facilitates the transmission of information to and from its customers without regard to the content of that information. Another train of thought suggests that MOREnet is part of a chain of custody of regulated information and may have obligations to ensure the security of that information while it is in MOREnet's custody.

The final publication of security rules just came out in mid-December 2002, so it is still not clear if MOREnet will be affected by these regulations. Through meetings with University of Missouri Health Care and other interested agencies over the next several months, MOREnet hopes to determine its obligations under HIPAA.

We hope the regulations will be clear and spell out MOREnet's responsibilities in terms of specific security protocols and implementations. Previously published drafts of the security regulations have not been that straightforward and if the final publication is consistent with the drafts, there may be some ambiguity in the regulations that will be open to interpretation by various involved parties. Two potential consequences of this ambiguity are security implementations that are not consistent with the intent of the legislation and court challenges to individual security implementations. Unfortunately, there may be inconsistent implementations and court challenges even if the language is relatively clear as organizations try to do things "their way."

As MOREnet learns more about its obligations in relationship to HIPAA, we will pass that information on to you.