標準簡介
《健康保險流通與責任法案》(HIPAA)是美國於 1996 年 8 月頒布的基礎性聯邦法律,旨在保護敏感的患者健康資訊,防止未經患者同意或知情而被揭露。HIPAA 建立了保護受保護健康資訊(PHI)的國家標準,確保醫療保健提供者、健康計畫、醫療保健清算所及其業務合作夥伴實施適當的安全措施。該法律包含多項規則,包括隱私規則(2003 年 4 月生效)、安全規則(2005 年 4 月生效)和違規通知規則(2009 年 9 月可執行)。HIPAA 適用於'受保實體'(進行電子交易的醫療保健提供者、健康計畫和醫療保健清算所)以及代表受保實體處理 PHI 的'業務合作夥伴'。
HIPAA 合規要求實施三類安全措施:行政措施(政策、程序、培訓)、實體措施(設施存取控制、工作站安全)和技術措施(存取控制、加密、稽核控制)。隱私規則管理 PHI 的使用和揭露,賦予患者存取其記錄、請求更正和接收揭露說明的權利。安全規則專門針對電子 PHI(ePHI)保護,透過必需和可定址的實施規範。最新更新包括 2024 年生殖健康隱私規則和 2025 年提議的網路安全增強措施,以應對勒索軟體和駭客威脅。美國衛生與公眾服務部民權辦公室(OCR)透過稽核和調查執行 HIPAA,每次違規的罰款從 100 美元到 50000 美元不等,每類違規每年最高可達 150 萬美元。2024-2025 年 HIPAA 稽核計畫重點關注與網路安全威脅相關的安全規則合規性。
Protected Health Information
Establishes national standards for protecting individually identifiable health information (PHI) — including electronic, paper, and oral forms.
Security Rule Safeguards
Requires administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of electronic PHI (ePHI).
Breach Notification
Mandates notification to affected individuals, HHS, and (for large breaches) media within 60 days of discovering a breach of unsecured PHI.
list_alt Key Rules
- Privacy Rule — limits use and disclosure of PHI
- Security Rule — administrative, physical, and technical safeguards for ePHI
- Breach Notification Rule — 60-day notification requirement
- Enforcement Rule — investigation and penalty procedures
- Minimum Necessary standard — limit PHI to what is needed
- Business Associate Agreements (BAAs) required
- Patient right to access their health records
Who Needs to Comply?
Covered entities (health plans, healthcare clearinghouses, healthcare providers conducting electronic transactions) and their business associates that create, receive, maintain, or transmit PHI.
Key Requirements
Risk Analysis
Conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the organization.
Access Controls
Implement technical policies and procedures to limit access to ePHI to only those persons and software programs that have been granted access rights. Includes unique user IDs, emergency access, and automatic logoff.
Business Associate Agreements
Execute written contracts with all business associates that create, receive, maintain, or transmit PHI on your behalf. BAAs must specify permitted uses and require safeguards.
Audit Controls
Implement hardware, software, and/or procedural mechanisms to record and examine activity in information systems that contain or use ePHI.
Workforce Training
Train all workforce members on HIPAA policies and procedures. Apply appropriate sanctions against employees who violate policies.
Penalties & Enforcement
Civil penalties range from $141 to $2,134,831 per violation depending on the level of culpability. Criminal penalties for knowing misuse include fines up to $250,000 and up to 10 years imprisonment. HHS OCR enforces through audits and investigations.