When putting together your organization’s strategy for HIPAA compliance, it is important to know and understand the rules of the system to ensure your training and documentation protocols are error-free and are consistent with the outlined standards. The HIPAA Laws and Regulations are segmented into five specific rules that your entire team should be well aware of. This is an in-depth look at each rule and how it should be applied:
5 Main HIPAA Rules
- Privacy Rule
The Privacy Rule protects the PHI and medical records of individuals, with limits and conditions on the various uses and disclosures that can and cannot be made without patient authorization. This rule also gives every patient the right to inspect and obtain a copy of their records and request corrections to their file. There are specific forms that coincide with this rule: Request of Access to Protected Health Information (PHI); Notice of Privacy Practices (NPP) Form; Request for Accounting Disclosures Form; Request for Restriction of Patient Health Care Information; Authorization for Use or Disclosure Form; and the Privacy Complaint Form.
- Security Rule
The security rule defines and regulates the standards, methods and procedures related to the protection of electronic PHI on storage, accessibility and transmission. There are three safeguard levels of security. The Administrative safeguards deal with the assignment of a HIPAA security compliance team; the Technical safeguards deal with the encryption and authentication methods used to have control over data access, and the Physical safeguards deal with the protection of any electronic system, data or equipment within your facility and organization. The risk analysis and risk management protocols for hardware, software and transmission fall under this rule.
- Transactions Rule
This rule deals with the transactions and code sets used in HIPAA transactions, which includes ICD-9, ICD-10, HCPCS, CPT-3, CPT-4 and NDC codes. These codes must be used correctly to ensure the safety, accuracy and security of medical records and PHI.
- Identifiers Rule
HIPAA uses three unique identifiers for covered entities who use HIPAA regulated administrative and financial transactions. These identifiers are: National Provider Identifier (NPI), which is a 10-digit number used for covered healthcare providers in every HIPAA administrative and financial transaction; National Health Plan Identifier (NHI), which is an identifier used to identify health plans and payers under the Center for Medicare & Medicaid Services (CMS); and the Standard Unique Employer Identifier, which identifies and employer entity in HIPAA transactions and is considered the same as the federal Employer Identification Number (EIN).
- Enforcement Rule
This rule is derived from the ARRA HITECH ACT provisions for violations that occurred before, on or after the February 18, 2015 compliance date. This expands the rules under HIPAA Privacy and Security, increasing the penalties for any violations. This addresses five main areas in regards to covered entities and business associates: Application of HIPAA security and privacy requirements; establishment of mandatory federal privacy and security breach reporting requirements; creation of new privacy requirements and accounting disclosure requirements and restrictions on sales and marketing; establishment of new criminal and civil penalties, and enforcement methods for HIPAA non-compliance; and a stipulation that all new security requirements must be included in all Business Associate contracts.
Understanding these rules will assist in the development and application of your security protocols and methods for compliance.