The Health Insurance Portability and Accountability Act
The security and privacy requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and their implications for pharmacy are discussed.

HIPAA was enacted to improve the portability of health care insurance for persons leaving jobs. A section of the act encourages the use of electronic communications for health care claims adjudication, mandates the use of new standard code sets and transaction sets, and establishes the need for regulations to protect the security and privacy of individually identifiable health care information. Creating these regulations became the task of the Department of Health and Human Services. Regulations on security have been published for comment. Regulations on privacy and the definition of standard transaction sets and code sets are complete. National identifiers for patients, providers, and payers have not yet been established. The HIPAA regulations on security and privacy will require that pharmacies adopt policies and procedures that limit access to health care information. Existing pharmacy information systems may require upgrading or replacement. Costs of implementation nationwide are estimated to exceed $8 billion. The health care community has two years from the finalization of each regulation to comply with that regulation.

The security and privacy requirements of HIPAA will require pharmacies to review their practices regarding the storage, use, and disclosure of protected health care information.

In 1996 President Clinton signed the Health Insurance Portability and Accountability Act (HIPAA) into law. The act is principally aimed at facilitating the continuation of health care insurance coverage for people leaving jobs. It contains five sections: Title I, on guaranteeing health insurance access, portability, and renewal; Title II, on preventing health care fraud and abuse; Title III, on medical savings accounts and coverage for the self-employed; Title IV, on enforcing group health plan provisions; and Title V, on revenue offset provisions. Title II contains a subpart, "Administrative Simplification," that deals with the electronic communication of patient data, primarily for claims adjudication, and that mandates regulations to protect the security and privacy of such information. The security regulations were issued for comment on August 12, 1998, and are expected to be finalized in the spring of 2001. The privacy regulations were finalized on December 28, 1998. Through this act, Congress hopes to reduce paper-processing costs by as much as $2 billion per year. The Department of Health and Human Services (DHHS) estimates that the cost of compliance will exceed $5 billion over five years for the security regulations and $3 billion for the privacy regulations.

One cannot discuss the electronic transfer of health care information without first establishing a common dialect for the transfer of that information and without raising fears about loss of privacy. As a result, HIPAA calls for regulations that establish standards for encoded data and message syntax to provide a lingua franca for health care information exchange, regulations to provide for health care data security, and regulations protecting the privacy of health care records. It is unlikely that the HIPAA requirements involving data codes and message syntax will directly affect pharmacy practice. However, the data security and privacy regulations will require pharmacists to review their current information systems and practices regarding access to and use of patient medical records.

Ideally, all individually identifiable health care information would be released only to people who absolutely need it and only on the express permission of the involved patient. Realistically, however, the daily conduct of health care (in terms of both rendering care and seeking reimbursement) requires that health care information be freely available to providers of care. In HIPAA terms, such uses or disclosures fall into the categories of treatment, payment, and health care operations.

HIPAA's privacy regulations therefore attempt to define what uses or disclosures of this information represent the normal conduct of health care and those that are exceptional and then to define control measures for each. Privacy regulations extend to individually identifiable health records from any source (not just electronic) and broadly affect who may see such records and what portions they may see. These regulations therefore affect clinical practice, research, and publication.

Storing, retrieving, and transmitting patient information electronically present hazards both in terms of increased availability of that information to unauthorized persons and in terms of that information not being available when needed because of system failures. The security regulations therefore attempt to define the measures that must be in place to ensure that electronically stored information is available to those who need it when they need it, that it is properly authenticated, and that it is protected from use or disclosure by unauthorized persons.

HIPAA perceives health care information as being appropriately distributed on a need-to-know basis. The use or disclosure of health care information for any purpose should be limited to that subset of the information necessary for the task at hand. It will therefore be important for pharmacists to establish their need for access to such information. This article does not represent a legal opinion; rather, it is intended to identify the requirements of HIPAA associated with security and privacy and to discuss the potential impact on pharmacy practice.