All covered entities that process health-related data are required to comply with the U.S. Department of Health and Human Services' (HHS) Health Insurance Portability and Accountability Act of 1996 (HIPAA). HIPAA has led to sweeping changes to health care administration and information systems as health care organizations struggle to achieve cost-effective compliance by 2003.

HIPAA is designed to standardize the way all health care organizations electronically exchange sensitive patient data and to protect patients from unauthorized disclosure of their medical records (whether paper or electronic).

HIPAA is a federal law that has been amended to the Internal Revenue Code of 1986 which intends to:

• Improve portability and continuity of health insurance.
• Combat waste, fraud and abuse in health insurance and delivery.
• Promote the use of medical savings accounts.
• Improve access to long-term health care services and coverage.
• Simplify the administration of health insurance.
• The ultimate objective of HIPAA is to increase the efficiency and effectiveness of health information systems through improvements in electronic health care transactions as well as to maintain the security and privacy of individually identifiable health information.

Under HIPAA, there are specific standards that all health care organizations are required to adhere to. These standards include an Administrative Simplification Title that is aimed at preventing health care fraud and abuse. Within this title, there are several laws and proposed standards including:

Electronic Health Transactions Standards (45 CFR Parts 160 and 162; Final Rule; Compliance by October 2002 (Providers can apply for a 1 year extension).

Privacy & Confidentiality Standards (45 CFR Parts 160 and 164; Final Rule; Compliance by April, 2003 (2004 for small health plans).

Unique Health Identifiers (45 CFR Parts 160 and 164; Proposed Rule; Expected Compliance by 2004). Security & Electronic Signature Standards (45 CFR Part 142; Proposed Rule; Expected Compliance by 2004).

Any entity that facilitates the processing of non-standard formatted health information and must convert the non-standard data into standard transactions, or vice versa.

• Healthcare Providers who transmit health information electronically.
• Providers who receive individual health information.
• Providers who electronically maintain health information used in electronic transmissions between entities.

HIPAA's reach is quite broad. It impacts all health plans, clearinghouses and providers who electronically store and transmit health information. It covers all individually identifiable health information that is transmitted electronically or on paper. Current administrative processes are complex, inefficient and costly. There is a great opportunity for HIPAA to help a covered entity drive down high administrative costs and realize efficiencies, while not adversely affecting the quality of patient care.

Conversely, non-compliance with HIPAA regulations may cause disruptions in an organization's day-to-day business processes, resulting in both tangible and intangible costs. The most serious implications of HIPAA non-compliance for health care organizations include the inability to effectively conduct electronic business and the potential of losing significant segments of business.

• Penalty for failure to comply with regulations.
• Up to $100 per violation per person up to a maximum of $25,000 per year.
• Penalty for knowingly and wrongfully disclosing individually identifiable health information.
• Up to $50,000 per violation or one year imprisonment or both for simple offense.
• Up to $100,000 per violation or five years imprisonment or both if the offense is "under false pretenses."
• Up to $250,000 or ten years imprisonment or both if committed with intent to sell, transfer or use for commercial advantage, personal gain or malicious harm.
• Civil Sanctions - the real risk.