The rules of HIPAA are published by the Department of Health and Human Services (HHS) and enforced by the Centers for Medicare and Medicaid Services (CMS) and the Office of Civil Rights (OCR). The primary focus of the law was to ensure the portability of health insurance coverage for Americans changing jobs. It was also designed to protect the privacy and security of patient records and bring uniformity to claims processing.
All healthcare organizations are affected in some way by HIPAA. The entities that are affected include all health care providers, health plans, employers, public health authorities, hospitals, life insurers, clearinghouses, billing agencies, information systems vendors, and service organizations.
The three main rules of HIPAA are:
- Privacy Rule: Organizations must identify the uses and disclosures of protected health information (PHI) and put into effect appropriate safeguards to protect against an unauthorized use or disclosure of that PHI. When material breaches or violations of privacy are identified, the organizations must take reasonable steps to solve those problems in order to limit exposure of PHI. Compliance with HIPAA’s PHI guidelines was required of all covered entities, regardless of size, by April 14, 2004. Additionally, under the final rules, patients have expanded rights to understand and control how their health information is used.
- Security Rule: Defines the administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic protected health information. Covered entities are required to implement basic safeguards to protect electronic protected health information from unauthorized access, alteration, deletion, and transmission. The final rule states that all covered entities, with the exception of small health plans, had to be compliant by April 21, 2005.
- Electronic Transactions Standards: While software vendors do most of the work to make computer systems HIPAA compliant, medical practices must have policies and procedures in place to ensure the submission of the necessary data elements to complete each transaction. For each transaction, the standard dictates a certain set of required data elements, optional data elements, format, and content. In addition, practices will have to ensure that their software vendors build language into each contract to ensure compliance with the law.
Under the HIPAA regulations, there are more than 400 different formats for transmitting to payers "standard" health care data such as benefits, eligibility, and payment information – these are under consideration to be consolidated into 20 standard "HIPAA-compliant" transaction standards.
HIPAA calls for severe civil and criminal penalties for noncompliance, including:
- fines up to $25,000 for multiple violations of the same standard in a calendar year
- fines up to $250,000 and/or imprisonment up to 10 years for known misuse of individually identifiable health information
Administrative Simplification in the Affordable Care Act
The Affordable Care Act (ACA) expanded the provisions in HIPAA to support administrative simplification. These new requirements include operating rules for the HIPAA-named standards, a standard for electronic funds transfer, and a national health plan identifier.
It is imperative for physician practices to maintain HIPAA compliance on a daily basis by conducting an organizational assessment and determining if there are any gaps that may exist. It is also important to assign a team or staff member to manage and coordinate HIPAA compliance within the practice by doing quarterly educational sessions as well as developing policies and procedures for the practice to ensure compliance.
View the complete requirements and standards of the privacy requirements of the HIPAA Regulations and Guidance >