In 1996 a federal law was passed to create national standards for protecting sensitive patient health information effectively.
In addition to seeking to modernize the flow of healthcare information that came with technological advances, this piece of legislation also helps protect health care coverage for individuals who lose or change their jobs.
Known mostly by its acronym, HIPAA, the Health Insurance Portability and Accountability Act sets the standard for handling protected health information.
This includes all areas of the healthcare industry and health information technology.
The Health Insurance Portability and Accountability Act (HIPAA) was adopted by the 104th United States Congress and signed into law in August 1996. The legislation helped set a precedent for how healthcare providers and healthcare organizations handle and protect patient information.
In this regard, the legislation is privacy law. HIPAA sets national standards as it relates to protected health information (PHI). According to the language of the law, PHI is defined as:
It is important to understand that the provisions for HIPAA are outlined in five titles. Let’s take a look at some of their major points briefly.
Title I of HIPAA essentially protects health insurance coverage for workers and their families when employees experience a change or loss in a job. In effect, Title I prevents group health plans and insurance companies from denying coverage to those with pre-existing conditions. Title I also deals with exclusion periods when it comes to creditable coverage.
Title II covers the duty of the Department of Health and Human Services (HHS) to set national standards for electronic health care transactions, national provider identifiers (NPI), health plans, and employers. This provision is known as Administrative Simplification.
Title III provides for deductions for medical insurance and other tax-related provisions. It also makes changes to some health insurance laws. Title IV deals mainly with group health plans and sets conditions for coverage requirements. Title V includes provisions for company-owned life insurance and more.
In April of 2003, the HHS put forth provisions for the HIPAA Privacy Rule and Security Rule. The Privacy Rule is what established the national standards to protect individuals’ medical records and PHI. These standards outline how PHI could be shared across the healthcare industry and require permission to be obtained by the patient.
Also, the Privacy Rule allows patients to withhold information about their health status from insurance companies when their treatment is privately funded. It gives patients control over their own health information.
Entities subject to the Privacy Rule are known as covered entities. A covered entity includes:
Title II, the Administration Simplification provisions, ensure consistency as it relates to electronic communication across health systems. The transactions and code are set to deal with information exchange and must be followed for HIPAA compliance. Also, this is where most HIPAA violations occur.
Transactions refer to an electronic exchange of information between two entities to carry out administrative activities related to health care. These can also be financial in nature.
Code sets are specific codes adopted by HHS that classify medical items, such as diagnostic tests, procedures, treatments, and more. They are used for tracking, billing, and claims.
HIPAA requires standard identifiers for patients, employers, health plans, and healthcare providers during transactions. These are known as identifiers, e.g., 10-digit national provider identifier number (NPI). To date, it is only mandated for employers and healthcare providers.
The HIPAA Security Rule was established two years after the Privacy Rule sets security standards for PHI. These security rules outline how PHI is to be created, used, received, stored, and maintained. This includes both physical and technical safeguards to ensure integrity, confidentiality, and security of electronic PHI.
The HIPAA Enforcement Rule has provisions that relate to compliance and investigations. Also, it outlines the penalties for violations. All this is carried out by the HHS and its Office for Civil Rights (OCR).
The Breach Notification Rule was issued in September 2009. The HIPAA Breach Notification Rule requires covered entities and their business associates to provide notifications following data breaches of unsecured PHI.
The Health Information Technology for Economic and Clinical Health Act (HITECH) was also enacted in 2009. The primary goal of the HITECH Act was to encourage providers to adopt electronic health records (EHRs) to streamline the flow of PHI further. It also introduced the Meaningful Use program, which offers incentives that offset implementing EHRs.
The most recent legislation for HIPAA was the Omnibus Final Rule. In effect, the Omnibus Final Rule merely filled some gaps existing in the HIPAA and HITECH Act.
Again, HIPAA should be thought of as data privacy as it relates to health information. It limits this information flow to only those who need to know (e.g., healthcare providers, health insurance companies, etc.) and gives the patient control over their information and its use and exchange.
HIPAA was also created to provide provisions to transfer and continue health insurance coverage and health plans for millions of Americans who lose or change their job.
The extent to which HIPAA affects you will depend on the scope of your business or entity. But, as mentioned above, any covered entities (healthcare providers, health plans, and clearinghouses) that handle or process PHI is subject to HIPAA. This includes employers, indirectly, that use group health plans.
Thankfully, there are steps to be taken to ensure HIPAA compliance. The provisions are strict, but there is flexibility in regard to privacy and security implementation.
The first step is developing and establishing privacy and security policies for your organization. This shows you are proactive with HIPAA measures. This will include policies for how PHI is handled, distributed, stored, and transmitted. It also includes creating and distributing a Notice of Privacy Practices (NPP) for patients to explain their rights and how their PHI is handled.
Furthermore, all staff, trainees, and volunteers must be trained on these policies (and updates). Staff should be trained on HIPAA policies during orientation and regularly after that. They must attest in writing that they understand the policies and procedures.
Also, you must implement and understand the physical and technical safeguards that are put into place. A breach notification protocol must be adopted in the event of data breaches. Remember, failing to report breaches always makes the situation worse.
Finally, conducting regular risk audits to ensure HIPAA compliance should be done. In fact, the HHS requires it annually. Self-audits, or internal audits, can be conducted on all technical, physical, and administrative safeguards to identify gaps. Also, the HHS does run external audits through the HIPAA Audit Program.
The Health Insurance Portability and Accountability Act set provisions for how protected health information is handled, used, stored, and transferred across the healthcare system. It set industry standards for all healthcare providers, health plans, and clearinghouses to follow.
Also, HIPAA outlined provisions for individuals to continue or transfer health insurance coverage and health plans when they lose or change jobs. HIPAA was strengthened further with the adoption of the Privacy, Security, and Breach Notification Rules. These outlined the safeguards to maintain compliance with HIPAA regulations.
Although HIPAA does adhere to strict regulations, the purposes for doing so benefit the patients themselves. HIPAA helps give patients control over their personal health information and ensures all entities use this information with integrity.