The Health Insurance Portability and Accountability Act

Much has been said about HIPAA since its release back in 1996, and it is continuing to make waves in the healthcare industry, especially concerning its privacy and security rules. For consumers and caregivers alike, HIPAA plays an important role in the safety and security of patient information and transmittal, and the government is serious about compliance on all levels, citing civil and criminal charges with hefty fines or even imprisonment as some of the penalties.

Let’s cut through the static with an overview of the Act so that healthcare professionals can implement proper practices within their organizations.

HIPAA Privacy

The HIPAA Privacy Rule, released in 2003, established a national set of standards that protect patient health information, and directly applies to “covered entities”, or healthcare providers that transmit their patients’ information in an electronic form, health plans and health insurance companies, as well as health clearinghouses, like billing services.

On the patient side, HIPAA Privacy gives patients rights over their health information and sets rules and limits on who can look at and receive that information, while taking into account the necessary avenues that must be taken to promote high quality healthcare. The Privacy Rule applies to all forms of individuals’ protected health information – whether electronic, written, or oral.

For healthcare professionals, this means that in order to ensure patients’ confidentiality, they must put into action certain practices like:

  • Adopting and putting into practice privacy procedures for the organization
  • Training all employees so that they understand the privacy procedures of the practice
  • Notifying patients about their privacy rights and how their information can be used
  • Designating at least one individual to be responsible for ensuring that privacy and security procedures are adopted and followed by all in the organization
  • Securing patient records containing health information that can identify an individual so that they are not readily accessible or available to those who do not need them
  • For a more in-depth and detailed guide on this topic, visit our page dedicated to HIPAA Privacy.

HIPAA Security

The HIPAA Security Rule, also released in 2003, works in conjunction with the Privacy Rule described above, but taps into the electronic side of health information storage and transmittal, or what the government calls, “electronic protected health information” (e-PHI). On a broadly defined spectrum, the HIPAA Security Rule covers implementation on a physical, administrative, and technical level, with several requirements and advisories for each.

As new medical technology continues to enter the market and physicians and administrators rely on them to improve patient care, the industry has begun to move away from paper processes and rely more heavily on the use of electronic information systems, hence the need for regulations and protection. Processes like answering coverage eligibility questions, paying claims, providing health information and other administrative functions have become increasingly simplified thanks to new health technology. However, with this new adoption comes increased security risks for both the patient and practice.

With the government goal of converting all health records to electronic versions by 2014 with the Health Information Technology for Economic and Clinical Health Act (HITECH), these outstanding concerns about the safety and security of electronically stored information will continue to  be on the top of everyone’s mind.

There has been some debate about the range in flexibility between the required actions to be taken by physicians or other “covered entities” compared to those actions that are addressable. While the required standards are obviously mandatory, some of the addressable standards are as well, causing a bit of confusion and frustration when it comes to compliance. With this confusion comes the many compliance issues and filed complaints that have riddled the healthcare industry since HIPAA inception.

Here are some of the major “required” practices set forth for covered entities:

  • To ensure the confidentiality, integrity, and availability of all its e-PHI
  • To protect against any reasonably anticipated threats or hazards of its e-PHI
  • To protect against any reasonably anticipated uses or disclosures of e-PHI not permitted or required under the HIPAA Privacy Rule
  • To ensure that all employees comply with the HIPAA Security Rule
  • Guaranteeing periodic evaluations of security preparedness
  • For a more in-depth and detailed guide on this topic, visit our page dedicated to HIPAA Security.

HIPAA Violations

Under HIPAA, patients have the right to file complaints for noncompliance against health practices or other covered entities. In the cases where a violation has occurred, the Secretary of the Department of Health and Human Services (HHS) has authority in determining the amount of the penalty given, based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation. With the exception of a violation filed for willful neglect, civil penalties cannot be imposed on a violator that has corrected the issue within 30 days of its filing.

Most complaints regarding privacy are against physicians’ practices and involve:

  • Failure to have valid authorization from an individual for disclosure of personal information
  • Health data breaches – impermissible use or disclosure of protected information
  • Refusal or failure to provide an individual with access to or a copy of personal records
  • Lack of adequate safeguards to protect patients’ personal health information
  • Disclosure of more information than is necessary upon a patients’ request

For a more in-depth and detailed guide on this topic, visit our page dedicated to HIPAA Violations.

HIPAA is a complex ruling, but one that is necessary and very important, as it offers patients and medical practitioners the protection they need and deserve. As more and more medical technologies are integrated into every aspect of the healthcare industry, policies, rules and regulations set forth in HIPAA Privacy and Security Rules will continue to provide proper guidelines for the intended safety and security of patients’ health information.