HIPAA: Helpful Information for Health Care Professionals
IN A NUTSHELL:
- HIPAA originally passed in 1996
- DHHS developed Privacy Rule in 2000
- Security Rule published in 2003
- Final Omnibus Rule was passed in 2013
Congress passed the Health Insurance Portability and Accountability Act (HIPAA) into law on Oct. 21, 1996. The legislation addressed a range of issues in health care, but above all provided federal standards for privacy of health care information.
The original legislation was aimed at amending the Internal Revenue Code of 1986:
“To Improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance.”
2002—Privacy Rule passed: Focused on the rights of the individual and their ability to control their protected health information (PHI).
2003—Security Rule passed: Set national standards for protecting the confidentiality, integrity, and availability of electronic PHI through administrative, technical, and physical safeguards.
2013—Omnibus Rule passed: Strengthens the ability of the Office for Civil Rights (OCR) within DHS to enforce the rules and impose fines. It also modified the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act
–Who is covered by The Privacy Rule–
Health Plans: Individual and group plans that provide or pay the cost of medical care
Health Care Providers: Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards.
Health Care Clearinghouses: Health care clearinghouses are entities that process nonstandard information they receive from another entity into a standard or the other way around. Health care clearinghouses include billing services, repricing companies, community health management information systems, and value-added networks and switches if these entities perform clearinghouse functions.
Business Associates: Generally, a business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information.
–Information that is protected–
Individually Identifiable Information: Includes many common identifiers such as Social Security Number, name, address, and date of birth. It also includes demographic data that relates to:
- Past, present, or future health conditions.
- Provision of health care
- Past, present, or future payment for the provision of health care to the individual
- Information that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
–Most common alleged noncompliance issues–
- Impermissible uses and disclosures of protected health information
- Lack of safeguards of protected health information
- Lack of patient access to their protected health information
- Lack of administrative safeguards of electronic protected health information
- Use or disclosure of more than the minimum necessary protected health information.
–Most common types of entities alleged to have committed violations–
- General Hospitals
- Private Practices and Physicians
- Outpatient Facilities
- Health Plans (group health plans and health insurance issuers)
–An individual’s rights under HIPAA–