and (5) the needs and capabilities of small health care providers and rural health care providers.
HIPA requires that each person who maintains or transmits health information shall maintain reasonable and appropriate administrative, technical, and physical safeguards to ensure the integrity and confidentiality of the information; to protect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized uses or disclosures of the information; and to ensure that a health care clearinghouse, if it is part of a larger organization, has policies and security procedures that isolate its activities with respect to processing information in a manner that prevents unauthorized access to such information.
By August 1997, the Secretary is required to submit to Congress detailed recommendations on standards with respect to the privacy of individually identifiable health information. These recommendations must address the rights that should be guaranteed to an individual who is a subject of patient-identifiable health information, the procedures that should be established for the exercise of such rights, and the uses and disclosures that should be authorized or required. HIPA contains penalties ranging from $50,000 to $250,000 and 1 to 10 years in jail for wrongful disclosure of individually identifiable health information.
If legislation is not enacted by August 1997, the Secretary is required to promulgate final regulations containing such standards not later than 6 months after that date. In carrying out this section, the Secretary must consult with the National Committee on Vital and Health Statistics and the Attorney General.
The Health Insurance Portability and Accountability Act represents an important first step in better protection of health information. By mandating the promulgation of standards and regulations for security and privacy, the act begins to fill the void in existing legislation for protecting health information. It remains to be seen, however, how the act will be implemented and whether its standards and regulations will be enforced firmly. Without strong measures and ways of ensuring that they are implemented, patient health information may continue to remain vulnerable to potential misuse.