HIPAA Overview

 I. INTRODUCTION

The health care industry is facing sweeping changes in how it handles and protects health information. These changes are mandated by the Health Insurance Portability and Accountability Act (HIPAA), which was enacted by Congress on August 21, 1996.

HIPAA affects health care providers, health plans, health care clearinghouses, employers and third-party entities that furnish health care services or supplies. It establishes standards for automating the process of claims administration and standards for the confidentiality and security of health information.

II. BACKGROUND INFORMATION

In totality, HIPAA changes the way health care is insured, documented, compensated, communicated, and policed. Its broad provisions are directed at:

·         Assuring health insurance portability for employed persons;

·         Curtailing health care fraud and abuse;

·         Enforcing standards for health information; and

·         Guaranteeing the security and privacy of health information.

HIPAA outlines a process to achieve uniform national health insurance data standards and health information privacy in the United States. Title II of HIPAA includes a section called Administrative Simplification, which requires:

·         Improved efficiency in health care delivery by standardizing the electronic data interchange of certain administrative and financial transactions; and

·         Protection of the confidentiality and privacy of health care information through setting and enforcing standards

More specifically, HIPAA calls for:

·         Standardization of electronic patient health, administrative and financial data;

·         Unique health identifiers for individuals, employers, health plans and health care providers; and

·         Security standards protecting the confidentiality and integrity of "individually identifiable health information", past, present and/or future.

One of the most important sections of HIPAA is providing for protection of the confidentiality and privacy of health care information. HIPAA requirements will be solved to a much greater extent by policy and procedures than by technology. More specifically, HIPAA calls for privacy standards protecting the confidentiality and integrity of "individually identifiable health information", past, present and/or future.

III. PROVISIONS OF HIPAA PRIVACY

The original Privacy Rule was published December 2000 with a compliance date of April 14, 2003. Proposed Rule Modification (PRM) was published March 27, 2002, which clarifies and simplifies major sections of the original Privacy Rule.

Those covered by the HIPAA regulations are referred to as “covered entities” and include health plans, health care clearinghouses and health care providers who transmit health information in an electronic form. This would include most hospitals, clinics and physician offices. This means that any department of a hospital that comes in contact with protected health information (PHI) must abide by these rules and the hospital’s policies for safeguarding this information. Disclosures of PHI is allowed (under certain conditions) for the purposes of another covered entity for certain health care operations, including credentialing.

Covered entities are also required to make available to individuals a “Notice of Privacy Practices” at the time of encounter, which describes how the covered entity will use, disclose and protect health information. This notice must also appear on the covered entity’s website.

The information that is protected is referred to as “protected health information” (PHI). By definition it is “individually identifiable health information transmitted or maintained in any form”. Health information relates to the individual’s health or condition, provision of health care, or payment information. Covered entities are only permitted to use or disclose “protected health information” for treatment, payment or health care operations, unless written authorization is received from the individual. Covered entities are expected to use reasonable safeguards for the use of protected health information. This includes verbal communications.

Another provision of HIPAA is that covered entities must secure a signed agreement from all their business associates that use protected health information. The agreement must state that they will abide by these same HIPAA Privacy Rules. Business associates are any outside business “that performs or assists in any function or activity or performs services for or in behalf of a covered entity which involves use or disclosure of PHI (other than members of their workforce)”.

The Privacy Rules also give the patients certain rights. These include the right to adequate notice of privacy practices, right to request restriction of uses and disclosures, right to access health information, right to request amendment of health information, and right to an accounting of disclosures.

IV. OTHER PROVISIONS OF HIPAA

Several other HIPAA compliance requirements that covered entities must do include the following:

·        designate a privacy official and a person or office to receive complaints;

·        train all members of the workforce on rules;

·        implement administrative, technical and physical safeguards to protect privacy;

·        document all complaints;

·        sanction those workers who do not comply;

·        mitigate harmful effects of violations;

·        refrain from retaliation;

·        waiver of rights prohibited;

·        implement policies and procedures;

HIPAA compliance will be enforced by the Office of Civil Rights. Penalties may include civil monetary penalties and criminal penalties of fines and prison sentences.

For further information regarding HIPAA Compliance services and to learn how JAF Consulting, Inc. can assist your organization, contact us at 856-241-1900 or email info@jafconsulting.com