Print

Health Insurance Portability and Accountability Act  (HIPAA)

In 1996 Congress passed HIPAA to improve the efficiency and effectiveness of the health care system.  In response to this regulation, the U.S. Department of Health and Human Services ("DHHS") issued several new regulatory standards which apply to all covered entities.  This act mandates the adoption of a number of specific guidelines.  IRG has developed assessment services to aid covered entities in complying with the privacy and security regulations authorized by this act.

The "Privacy Rule"

The Privacy Rule sets standards for how protected health information (PHI) should be controlled by setting forth what uses and disclosures are authorized or required and what rights patients have with respect to their health information.  The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.   "Individually identifiable health information" is information, including demographic data, that relates to:
For the most part, the Privacy Rule protects a subset of individually identifiable health information, known as protected health information, that is held or maintained by covered entities or their business associates acting for the covered entity.

HIPAA Privacy - Compliance Dates

All required privacy compliance steps must be met by the compliance date set forth by HHS in the final modifications to the privacy rule.  The following table dictates the compliance dates from which the "privacy rule' must be implemented:

Covered Entities
Compliance Date
Health Care Providers April 14, 2003
Medium & Large Health Plans
(Revenue of $5,000,001 or greater )
April 14, 2003
Small Health Plans
(Revenue of  $5,000,000 or less)
April 14, 2006
Health Care Clearinghouses April 14, 2003

How can Info Risk Group assist you with HIPAA privacy compliance?

IRG has developed several offerings with respect to the HIPAA "privacy rule":
Contact IRG today for further information on how we can help your institution with HIPAA compliance.


The "Security Rule"

The security rule provides a set of standards that define administrative, physical, and technical safeguards mandated by DHHS to protect the confidentiality, integrity, and availability of electronic protected health information. The standards require covered entities to implement basic safeguards to protect electronic protected health information from unauthorized access, alteration, deletion, and transmission.  These standards require measures to be taken to secure this information while in the custody of entities covered by HIPAA as well as in transit between covered entities and from covered entities to others.

Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security
Number).  In an effort to standardize HIPAA security rule compliance for all covered entities, DHHS has issued 45 CFR parts 160, 162 and 164.  The CFR describes a list of safeguards separated into three categories:

Administrative Safeguards
Physical Safeguards
Technical Safeguards
  • Security Management Process
  • Assigned Security Responsibility
  • Workforce Security
  • Information Access Management
  • Security Awareness and Training
  • Security Incident Procedures
  • Contingency Plan
  • Business Associate Contracts and Other Arrangement.
  • Facility Access Controls
  • Workstation Use
  • Workstation Security
  • Device and Media Controls
  • Access Control
  • Audit Controls
  • Integrity
  • Person or Entity Authentication
  • Transmission Security


HIPAA Security - Compliance Dates

All implementation specifications and standards must be met by the compliance date forth by DHHS in its final security rule.  According to 45 CFR part 164.318,  the following table dictates the compliance dates from which the security standards must be implemented:


Covered Entities
Compliance Date
Health Care Providers April 20, 2005
Medium & Large Health Plans
(Revenue of $5,000,001 or greater )
April 20, 2005
Small Health Plans
(Revenue of  $5,000,000 or less)
April 20, 2006
Health Care Clearinghouses April 20, 2005

How can Information Risk Group assist you with HIPAA security compliance?

IRG has developed several offerings with respect to the HIPAA "security rule":



Contact IRG today for further information regarding HIPAA privacy and security compliance.

Information Risk Group LLC
3220 Henderson Blvd.
Tampa, FL 33609

E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

Offering information security and risk management services to companies throughout the Americas.