Understanding the 5 Main HIPAA RulesGreg Garner
When putting together your organization’s strategy for HIPAA compliance, it is important to know and understand the rules of the system to ensure your training and documentation protocols are error-free and are consistent with the outlined standards. The HIPAA Laws and Regulations are segmented into five specific rules that your entire team should be well aware of. This is an in-depth look at each rule and how it should be applied:
5 Main HIPAA Rules
- Privacy Rule
The Privacy Rule protects the PHI and medical records of individuals, with limits and conditions on the various uses and disclosures that can and cannot be made without patient authorization. This rule also gives every patient the right to inspect and obtain a copy of their records and request corrections to their file. There are specific forms that coincide with this rule: Request of Access to Protected Health Information (PHI); Notice of Privacy Practices (NPP) Form; Request for Accounting Disclosures Form; Request for Restriction of Patient Health Care Information; Authorization for Use or Disclosure Form; and the Privacy Complaint Form.
- Security Rule
The security rule defines and regulates the standards, methods and procedures related to the protection of electronic PHI on storage, accessibility and transmission. There are three safeguard levels of security. The Administrative safeguards deal with the assignment of a HIPAA security compliance team; the Technical safeguards deal with the encryption and authentication methods used to have control over data access, and the Physical safeguards deal with the protection of any electronic system, data or equipment within your facility and organization. The risk analysis and risk management protocols for hardware, software and transmission fall under this rule.
- Transactions Rule
This rule deals with the transactions and code sets used in HIPAA transactions, which includes ICD-9, ICD-10, HCPCS, CPT-3, CPT-4 and NDC codes. These codes must be used correctly to ensure the safety, accuracy and security of medical records and PHI.
- Identifiers Rule
HIPAA uses three unique identifiers for covered entities who use HIPAA regulated administrative and financial transactions. These identifiers are: National Provider Identifier (NPI), which is a 10-digit number used for covered healthcare providers in every HIPAA administrative and financial transaction; National Health Plan Identifier (NHI), which is an identifier used to identify health plans and payers under the Center for Medicare & Medicaid Services (CMS); and the Standard Unique Employer Identifier, which identifies and employer entity in HIPAA transactions and is considered the same as the federal Employer Identification Number (EIN).
- Enforcement Rule
This rule is derived from the ARRA HITECH ACT provisions for violations that occurred before, on or after the February 18, 2015 compliance date. This expands the rules under HIPAA Privacy and Security, increasing the penalties for any violations. This addresses five main areas in regards to covered entities and business associates: Application of HIPAA security and privacy requirements; establishment of mandatory federal privacy and security breach reporting requirements; creation of new privacy requirements and accounting disclosure requirements and restrictions on sales and marketing; establishment of new criminal and civil penalties, and enforcement methods for HIPAA non-compliance; and a stipulation that all new security requirements must be included in all Business Associate contracts.
The HIPAA Privacy Rule is the specific rule within HIPAA regulation that focuses on protecting Personal Health Information (PHI). It established national standards on how covered entities, health care clearinghouses, and business associates share and store PHI. It established rules to protect patients information used during health care services.
HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. HIPAA’s original intent was to ensure health insurance coverage for individuals who left their job. Since 1996, HIPAA has gone through modification and grown in scope.
HIPAA Rules and Regulations are enforced by the Office of Civil Rights (OCR) within the Health and Human Services (HHS) devision of the federal government. Enforcement is ongoing and fines of $2 million-plus have been issued to organizations found to be in violation of HIPAA.
HIPAA or the Health Insurance Portability and Accountability Act of 1996 is federal regulations that was established to strengthen how Personal Health Information (PHI) is stored and shared by Covered Entities and Business Associates. HIPAA regulation covers several different categories including HIPAA Privacy, HIPAA Security, HITECH and OMNIBUS Rules, and the Enforcement Rule. All Covered Entities and Business Associates must follow all HIPAA rules and regulation.
New for 2021: There are two rules, issued by the HHS Office of the National Coordinator for Health Information Technology (ONC) and Centers for Medicare & Medicaid Services (CMS), which implement interoperability and provides patient access provisions. These were issues as part of the bipartisan 21st Century Cures Act (Cures Act) and supported by President Trump’s MyHealthEData initiative. MyHealthEData gives every American access to their medical information so they can make better healthcare decisions. More information coming soon.