What is HIPAA law?
The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) require the Department of Health and Human Services (HHS) to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. It also addresses the security and privacy of health data. Adopting these standards was intended to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in health care.
The Department of Health and Human Services (HHS) modifies certain standards in the Rule entitled
‘‘Standards for Privacy of Individually Identifiable Health Information’’ (‘‘Privacy Rule’’). The Privacy Rule
implements the privacy requirements of the Administrative Simplification subtitle of the Health Insurance
Portability and Accountability Act of 1996. The purpose of these modifications is to maintain strong protections for the
privacy of individually identifiable health information while clarifying certain of the Privacy Rule’s provisions,
addressing the unintended negative effects of the Privacy Rule on health care quality or access to health care, and
relieving unintended administrative burdens created by the Privacy Rule.
HIPAA Rule Overview:
The Health Insurance Portability and Accountability Act of 1996 Public Law 104-191 (HIPAA) was passed by Congress to reform the insurance market and simplify health care administrative processes.
The administrative simplification part of HIPAA is aimed at reducing administrative costs and burdens in the health care industry by adopting and requiring the use of standardized, electronic transmission of administrative and financial data.
HIPAA will have a significant impact on the health care industry over the next several years.
HIPAA requires the Department of Health and Human Services (DHHS) to adopt national uniform standards for the electronic transmission of certain health information.
HIPAA ensures that patients have the right to expect their medical information will not be shared with anyone taking care of them unless they give permission for it to be shared.
Who has to be HIPAA Compliant?
Virtually all healthcare organizations – including all healthcare providers, health plans, public health authorities, healthcare clearinghouses, and self-ensured employers – as well as life insurers, information systems vendors, various service organizations, and universities.
Key Components of HIPAA Rule: The specific areas of administrative simplification addressed by HIPAA are:
1. Standards for Electronic Transactions
The term "Electronic Health Transactions" includes health claims, health plan eligibility, enrollment and di-enrollment, payments for care and health plan premiums, claim status, first injury reports, coordination of benefits, and related transactions.
In the past, health providers and plans have used many different electronic formats to transact medical claims and related business. Implementing a national standard is intended to result in the use of one format, thereby "simplifying" and improving transactions efficiency nationwide.
Virtually all health plans must adopt these standards. Providers using non-electronic transactions are not required to adopt the standards for use with commercial healthcare payers. However, electronic transactions are required by Medicare, and all Medicare providers must adopt the standards for these transactions. If they don't, they will have to contract with a clearinghouse to provide translation services.
Health organizations also must adopt standard code sets to be used in all health transactions. For example, coding systems that describe diseases, injuries, and other health problems, as well as their causes, symptoms and actions taken must become uniform. All parties to any transaction will have to use and accept the same coding, for the purpose of reducing errors and duplication of effort. Fortunately, the code sets proposed as HIPAA standards are already used by many health plans, clearinghouses and providers, which should ease transition to them.
2. Unique Identifiers for Providers, Employers, and Health Plans
In the past, healthcare organizations have used multiple identification formats when conducting business with each other – a confusing, error-prone and costly approach. It is expected that standard identifiers will reduce these problems. The Employer Identifier Standard, published in 2002, adopts an employer's tax ID number or employer identification number (EIN) as the standard for electronic transactions. The NPI, published in 2004, requires hospitals, doctors, nursing homes, and other healthcare providers to obtain a unique identifier when filing electronic claims with public and private insurance programs. Providers can apply for an identifier once and keep it if they relocate or change specialties. A final standard for a Health Plan identifier has not yet been published.
3. HIPAA Security Rule
The final Security Rule was published on February 20, 2003 and provides for a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual. The Security Rule requires covered entities to ensure the confidentiality, integrity, and availability of all electronic protected health information (ePHI) the covered entity creates, receives, maintains, or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI, protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the Privacy Rule, and ensure compliance by their workforce. Required safeguards include application of appropriate policies and procedures, safeguarding physical access to ePHI, and ensuring that technical security measures are in place to protect networks, computers and other electronic devices.
The Security Standard is intended to be scalable; in other words, it does not require specific technologies to be used. Covered entities may elect solutions that are appropriate to their operations, as long as the selected solutions are supported by a thorough security assessment and risk analysis.
4. HIPAA Privacy Rule
The Privacy Rule is intended to protect the privacy of all individually identifiable health information in the hands of covered entities, regardless of whether the information is or has been in electronic form. The rule establishes the first “set of basic national privacy standards and fair information practices that provides all Americans with a basic level of protection and peace of mind that is essential to their full participation in their care”. 65 Fed. Reg. at 82464. The Privacy standards::
Give patients new rights to access their medical records, restrict access by others, request changes, and to learn how they have been accessed
Restrict most disclosures of protected health information to the minimum needed for healthcare treatment and business operations
Provide that all patients are formally notified of covered entities' privacy practices,
Enable patients to decide if they will authorize disclosure of their protected health information (PHI) for uses other than treatment or healthcare business operations
Establish new criminal and civil sanctions for improper use or disclosure of PHI
Establish new requirements for access to records by researchers and others
Establish business associate agreements with business partners that safeguard their use and disclosure of PHI.
Implement a comprehensive compliance program, including:
- Conducting an impact assessment to determine gaps between existing information practices and policies and HIPAA requirements
- Reviewing functions and activities of the organization's business partners to determine where Business Associate Agreements are required
- Developing and implementing enterprise-wise privacy policies and procedures to implement the Rule
- Assigning a Privacy Officer who will administer the organizational privacy program and enforce compliance
- Training all members of the workforce on HIPAA and organizational privacy policies
- Updating systems to ensure they provide adequate protection of patient data
Benefits of HIPAA Regulation
Significant resources need to be invested over the next several years to achieve compliance with HIPAA legislation and to realize the long term benefits. The benefits of HIPAA include lowering administrative costs, enhancing accuracy of data and reports, increasing customer satisfaction, reducing cycle time and improving cash management.