Privacy, Security and HIPAA
A Common Sense Approach to
Meeting HIPAA Standards
1959 NW Dock Place
Seattle, WA 98107
Background - Internet Privacy, Security and HIPAA
The idea of passing individual health records across the public Internet has prompted
legitimate concerns about the privacy and security of patient-identifiable information-- also
called “protected health information” (PHI). As a result, The Health Insurance Portability
and Accountability Act ("HIPAA" or the "Act") has called for privacy and security standards
in regards to sharing PHI in electronic form.
Who needs to be HIPAA compliant :
HIPAA impacts any healthcare entity, large or small, that exchanges individually identifiable
health information. This includes entities such as providers, payers, and clearinghouses or
other entities such as laboratories, billing agencies, IT vendors, employers, pharmaceutical
and biotechnology companies.
Compliance deadline of April 14, 2003 :
Covered entities are currently facing a deadline of April 14, 2003 for compliance with the
privacy rule. (Small health plans have been given an additional year to comply.) While a
deadline for compliance with the security standard is not yet established, the standard is in a
proposed form and is expected to be finalized this August.
Scoping the impact on an organization:
To understand how the HIPAA privacy and security requirements impacts an organization,
one needs first to understand how protected health information comes to an organization,
how it’s used, and how it flows to the outside world. At the end of the day, an organization
must be in a position to answer questions posed by a patient or other parties responsible for
protecting a patient’s information including:
• Who has PHI at any point during its lifecycle?
• What will they use it for?
• What procedures does an organization have in place to tra