What is HIPAA?Greg Garner
HIPAA is the Health Insurance Portability and Accountability Act. It was passed in 1996 mandating standards throughout the healthcare industry on electronic billing and other processes. It also provides the ability to transfer and continue health insurance coverage when they change jobs or are terminated. This helps in the reduction of abuse and health care fraud and requires protecting and confidentiality when handling protected health information.
Who is HIPAA for?
HIPAA was designed for patients and ensures health plans, healthcare providers, clearinghouses and businesses associates of any HIPAA-covered entities must implement safeguards to protect sensitive and personal and health information. This law prevents group health plans from refusing to cover people with pre-existing diseases or conditions and prevents them from setting limits on lifetime coverage.
Designed to be flexible yet comprehensive, it covers a variety of uses and disclosures that are needed. All covered entities under the rule are required to comply.
What is a covered entity?
Covered entities are defined as health plans, healthcare clearinghouses and healthcare providers electronically transmitting health information through transactions.
- Healthcare providers
This includes physicians, nurse practitioners; dentists; nursing homes; chiropractors; pharmacies; psychologists and other licensed healthcare professionals or facilities
- Health plans
This includes company health plans, health insurance organizations, HMOs; veteran and military care programs; Medicare; Medicaid and government programs.
Any entities processing nonstandard health information they receive from another entity qualifies under this rule. This includes standard electronic format or data content.
Covered entities can apply for “meaningful use” to collect government incentives for adapting an EMR. There are certain regulatory requirements for covered entities:
- The HIPAA Privacy Rule, which sets the standards for the use of PHI and patients’ rights to access their healthcare data.
- HIPAA Security Rule, which sets the standards for electronic transmission, storage and use of PHI. This includes computer and network access to PHI.
- HIPAA Breach Notification Rule, which sets the standards for procedures and reporting that all covered entities must complete if there is a data breach.
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 and is regulated by the Department of Health and Human Services to ensure the privacy and security of protected health information (PHI).
Why was this law created?
This law was designed to reduce the possibility of abuse or healthcare fraud, the portability of health insurance coverage, and protect individual privacy of personal health records. Once this law went into effect, there were additional regulations that were established. In 2013, the “omnibus” rule was created to provide additional coverage over personal health information by individuals. The additional rule includes the following requirements for PHI:
- Business associates of covered entities must be accountable for compliance under HIPAA
- The limits on use and disclosure of PHI for marketing and fundraising was strengthened, as well as prohibiting the sale of PHI without authorization from that individual
- Expansion of an individual’s rights to electronic copies and restricting disclosures to health plans as it relates to fully-paid treatment
- Providing modifications and redistribution requirements of the privacy practices of a covered entity
- Addition of additional privacy protections for genetic information
- Addition of breach notification requirements as it relates to the unauthorized disclosure of unsecured PHI.
Legal Documents Needed under HIPAA
The following documents are required for covered entities, their business associates and subcontractors:
- Authorization Forms
Written permission is needed from patients that authorize covered entities they can disclose their private health information.
- Notice of Privacy Practices
Patients must be given notice regarding the disclosure of their personal health information.
- Business Associate Agreements
These agreements must be in place between each covered entity and their vendors to ensure they are aware of what they can and cannot do and transmit, whether electronically or otherwise.
Subcontractors must also comply and should have a business associate agreement in place. Under the rule, they have an additional year for contract compliance.
While most people know HIPAA for compliance, those standards were derived as part of the HIPAA Privacy Rule. This rule was designed to protect the medical records and other personal health information of individuals.
Who does the privacy rule apply to?
This rule applies to anyone handling and transmitting healthcare information. That includes healthcare clearinghouses, health plans, healthcare providers, individuals, organizations, institutions, research facilities and government agencies. In 2013, the Omnibus Rule extended this to business associates, including IT contractors, accountants, attorneys and cloud service providers.
If the rules are broken, what happens?
Any covered entity must have physical, technical and administrative policies in place for protected health information (PH). Extensive fines come with breaking those rules. For noncriminal violations, it could range from $100 to $50,000 per violation “of the same provision.” Civil penalties may also result, as well as criminal.
What are the mandated provisions of the rule?
All technology and policies associated with the use of that technology in protecting ePHI, control and access to it. This includes access (reading, writing, modifying and communicating data). These controls must have unique identifiers for users, automatic logoffs and procedures for emergencies. How the system records and examines the epHI, and all policies and procedures for protecting the data for altering or destroying the data in a manner that is unauthorized. This should be part of a covered entities’ HIPAA checklist.
This relates to any physical policies, procedures and physical measures for protecting electronic information systems and all equipment and buildings from natural hazards and unauthorized intrusion. This includes access control of the facility; what occurs at employee workstations; and the removal of hardware and electronic media that contains ePHI in and out of the facility.
Any administrative policies, procedures and actions that help manage the selection, implementation, development and maintenance in protecting the ePHI and employee conduct. This includes all security management processes; responsibility and assigned security; and workforce security; contingency plans; and incident procedures.
This rule, designed by the U.S. Department of Health and Human Services (HHS), implements the requirement of HIPAA in addressing the use and disclosure of individuals’ health information called protective health information, or PHI by organizations who use and transmit this information.
One of the goals of the privacy rule is to ensure the health information is properly protection while allowing the flow of that health information between covered entities to provide quality health care while protecting their health and well-being.
What are the covered entities?
This applies to health plans, healthcare clearinghouses and any health care provider transmitting health information in electronic form.
- Health plans include the following: insurers of vision, health, dental and prescription drugs. HMOs, Medicaid, Medicare and supplement insurers and long-term care insurers. This could include any health plans sponsored by employers, churches, government agencies and multi-employers.
- Healthcare providers include all providers regardless of size who electronically transmits health information.
- Healthcare clearinghouses who process nonstandard information received from another entity in a standard format or data content. This includes repricing companies, billing services and other networks.
- Business Associates, such as persons or organizations other than the employees of the covered entity performing specific functions or actions on behalf of covered entities involving the use or disclosure of PHI. They must have a business associates contract in place.