The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) required the Department of Health and Human Services to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. It also addresses the security and privacy of health data, otherwise known as protected health information (PHI).
The Act was passed in August of 1996, with the original document calling for the Department of Health and Human Services to adopt standards for certain types of healthcare transactions, such as claims processing and billing, within 18 months of that date. Health plans were expected to adopt these same standards as a practice within 24 months of their adoption by HHS, effectively opening a three and a half year window for analysis and adoption. Today, approaching a decade after the enactment of HIPAA into law, full uptake and adoption projections extend out until 2007, with future extensions of various types highly probable.
HIPAA applies to organizations called covered entities. Covered entities include all health plans, all healthcare clearinghouses and all providers who transmit HIPAA covered transactions. In February of 2003, the Final Rule adopting HIPAA standards for the security of electronic health information was published in the Federal Register. Among many other items, the standards called for appropriate measures to back up and store healthcare-related computer data files. Above the protestations of some members of Congress, the document specifically addressed the need of covered healthcare entities to back up their critical data stores, citing that the methodology and requirements would differ from one to another. In fact, the final security rule contains language making the implementation of a data backup plan a required portion of compliance with the rule, positioning backup as part of a ‘required contingency plan’ which also calls for a formal disaster recovery plan and an emergency mode operation plan. Further, the committee also listed data backup as ‘addressable’ in the Physical Safeguards section of the rule1, meaning that the covered entity needs to adopt the implementation specification as written in the rule, adopt another equally secure standard or have a well-documented reason (other than strictly the cost of implementation) why the addressable implementation specification will not be adopted.