The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 and is regulated by the Department of Health and Human Services to ensure the privacy and security of protected health information (PHI).
Why was this law created?
This law was designed to reduce the possibility of abuse or healthcare fraud, the portability of health insurance coverage, and protect individual privacy of personal health records. Once this law went into effect, there were additional regulations that were established. In 2013, the “omnibus” rule was created to provide additional coverage over personal health information by individuals. The additional rule includes the following requirements for PHI:
- Business associates of covered entities must be accountable for compliance under HIPAA
- The limits on use and disclosure of PHI for marketing and fundraising was strengthened, as well as prohibiting the sale of PHI without authorization from that individual
- Expansion of an individual’s rights to electronic copies and restricting disclosures to health plans as it relates to fully-paid treatment
- Providing modifications and redistribution requirements of the privacy practices of a covered entity
- Addition of additional privacy protections for genetic information
- Addition of breach notification requirements as it relates to the unauthorized disclosure of unsecured PHI.
Legal Documents Needed under HIPAA
The following documents are required for covered entities, their business associates and subcontractors:
- Authorization Forms
Written permission is needed from patients that authorize covered entities they can disclose their private health information.
- Notice of Privacy Practices
Patients must be given notice regarding the disclosure of their personal health information.
- Business Associate Agreements
These agreements must be in place between each covered entity and their vendors to ensure they are aware of what they can and cannot do and transmit, whether electronically or otherwise.
Subcontractors must also comply and should have a business associate agreement in place. Under the rule, they have an additional year for contract compliance.