标准简介
《健康保险流通与责任法案》(HIPAA)是美国于 1996 年 8 月颁布的基础性联邦法律,旨在保护敏感的患者健康信息,防止未经患者同意或知情而被披露。HIPAA 建立了保护受保护健康信息(PHI)的国家标准,确保医疗保健提供者、健康计划、医疗保健清算所及其业务合作伙伴实施适当的安全措施。该法律包括多项规则,包括隐私规则(2003 年 4 月生效)、安全规则(2005 年 4 月生效)和违规通知规则(2009 年 9 月可执行)。HIPAA 适用于'受保实体'(进行电子交易的医疗保健提供者、健康计划和医疗保健清算所)以及代表受保实体处理 PHI 的'业务合作伙伴'。
HIPAA 合规要求实施三类安全措施:行政措施(政策、程序、培训)、物理措施(设施访问控制、工作站安全)和技术措施(访问控制、加密、审计控制)。隐私规则管理 PHI 的使用和披露,赋予患者访问其记录、请求更正和接收披露说明的权利。安全规则专门针对电子 PHI(ePHI)保护,通过必需和可寻址的实施规范。最新更新包括 2024 年生殖健康隐私规则和 2025 年提议的网络安全增强措施,以应对勒索软件和黑客威胁。美国卫生与公众服务部民权办公室(OCR)通过审计和调查执行 HIPAA,每次违规的罚款从 100 美元到 50000 美元不等,每类违规每年最高可达 150 万美元。2024-2025 年 HIPAA 审计计划重点关注与网络安全威胁相关的安全规则合规性。
Protected Health Information
Establishes national standards for protecting individually identifiable health information (PHI) — including electronic, paper, and oral forms.
Security Rule Safeguards
Requires administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI).
Breach Notification
Mandates notification to affected individuals, HHS, and (for large breaches) media within 60 days of discovering a breach of unsecured PHI.
list_alt Key Rules
- Privacy Rule — limits use and disclosure of PHI
- Security Rule — administrative, physical, and technical safeguards for ePHI
- Breach Notification Rule — 60-day notification requirement
- Enforcement Rule — investigation and penalty procedures
- Minimum Necessary standard — limit PHI to what is needed
- Business Associate Agreements (BAAs) required
- Patient right to access their health records
Who Needs to Comply?
Covered entities (health plans, healthcare clearinghouses, healthcare providers conducting electronic transactions) and their business associates that create, receive, maintain, or transmit PHI.
Key Requirements
Risk Analysis
Conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the organization.
Access Controls
Implement technical policies and procedures to limit access to ePHI to only those persons and software programs that have been granted access rights. Includes unique user IDs, emergency access, and automatic logoff.
Business Associate Agreements
Execute written contracts with all business associates that create, receive, maintain, or transmit PHI on your behalf. BAAs must specify permitted uses and require safeguards.
Audit Controls
Implement hardware, software, and/or procedural mechanisms to record and examine activity in information systems that contain or use ePHI.
Workforce Training
Train all workforce members on HIPAA policies and procedures. Apply appropriate sanctions against employees who violate policies.
Penalties & Enforcement
Civil penalties range from $141 to $2,134,831 per violation depending on the level of culpability. Criminal penalties for knowing misuse include fines up to $250,000 and up to 10 years imprisonment. HHS OCR enforces through audits and investigations.