HIPAA Overview

Please be advised that the information presented below is merely an overview of the HIPAA administrative simplification regulations and not intended as legal advice. Individuals and entities potentially impacted by these regulations are urged to review the actual regulations and consult legal counsel to determine compliance requirements for specific circumstances.

What is HIPAA?

  • Federal law titled the Health Insurance Portability and Accountability Act of 1996 (HIPAA)
  • Primary purpose was to improve health insurance accessibility for people changing employers or leaving the workforce
  • HIPAA also included "Administrative Simplification" provisions to encourage and protect the electronic transmission of health-related data

What are HIPAA's administration simplification provisions?

  • Electronic transaction national standards
  • Privacy protection for individually identifiable health care information
  • Security protection for electronically maintained information

Why was legislation needed?

  • Rapid growth of Internet and intranet applications to transmit and share patient information, such as diagnoses, lab tests, and prescriptions
  • Advancements in the computerization of patient medical records
  • Increasing use of electronic prior authorizations, claims submission and payments
  • Lack of standardization for the collection, storage, and transmission of health data
  • Public concerns about privacy (20% of consumers believe their health information has been used or disclosed inappropriately)

Who must comply with HIPAA?

  • Any person or organization that furnishes, bills, or is paid for health care in normal course of business - includes ambulatory centers/clinics, groups, physicians and dentists (regardless of size)
  • Health plans that provide or pay the cost of medical care, including Medicare and Medicaid
  • Health care clearinghouses that process data elements or transactions

Electronic transaction provisions

  • Electronic Data Interchange standards have been adopted for the following transactions:
    • Health claims/encounter information
    • Enrollment/disenrollment in a health plan
    • Eligibility for a health plan
    • Health care payment and remittance advice
    • Health plan premium payments
    • Health claim status
    • Referral certification and authorization
    • Coordination of benefits
  • All electronic transactions must be converted to a specific standard format
  • All systems will communicate with each other
  • HHS cost estimates for non-hospital providers range from $0 (providers with no electronically processed patient claims or encounters) to $10,000 to cover software/system upgrades (does not include staff training and possible payment delays during conversion period)
  • HHS estimates savings per electronically processed claim at $1.49 for physicians
  • Total savings for non-hospital organizations are estimated to range from $0 to over $70,000 between 2002 and 2011
  • Organizations are not required to use electronic transactions, except that health plans must accept HIPAA-compliant electronic transactions
  • Also, Medicare claims must be submitted electronically as of 10/16/03, unless org. has less than 10 FTEs
  • Regulation was published in 8/00 with compliance date of 10/16/02. Pres. Bush signed legislation delaying compliance date by one year for orgs that submit a detailed compliance plan to HHS by 10/16/02.
  • HHS has drafted a model compliance plan
  • Small health plans have until 10/16/03 to comply and need not submit a compliance plan

Privacy provisions

  • Compliance date for most entities is 4/14/03
  • Intended to protect patient health information (PHI), regardless of form, that may identify a patient
  • Health care information that is de-identified pursuant to the rule may be disclosed
  • 8/02 final rule - PHI may be disclosed for treatment, payment or health care operations (QI, credentialing, compliance) without signed consent BUT
  • When service is first rendered, good faith effort is required to obtain patient's written acknowledgement of receipt of "notice of privacy practices" describing his/her rights regarding PHI
  • Patient authorization is required for other uses and disclosures (marketing, employers, insurance, research)
  • Exceptions to marketing patient authorizations requirement: face-to-face encounters, communications involving nominal gifts, discussion of treatment options and the organization's own health-related products and services.
  • If an individual refuses to give authorization for these purposes, providers generally still must provide treatment.
  • Special rules apply to disclosures for research purposes - limited data set of items such as birthdate and zipcode may be disclosed without authorization.
  • Authorizations may be contained in single form, but must be written in specific terms and must identify:
    • The information to be disclosed
    • Persons authorized to make the disclosure
    • Persons authorized to receive the information
    • Expiration date of authorization
  • Health emergencies, law enforcement, judicial and administrative proceedings are exempt from authorization requirement.
  • State law governs disclosure of minors' PHI to parents
  • Patients have the right to inspect and receive a copy of their medical records and to request amendments to their records.
  • Patients also have the right to receive an accounting of disclosures
  • Use of health information for non-treatment purposes must be limited to "minimum necessary." Incidental disclosure is permitted if it can't be reasonably prevented and reasonable safeguards are employed. Therefore, waiting room sign-in sheets, bed-side charts, conversations in semi-private rooms or at nurses' stations are generally allowed.
  • Each entity must designate a privacy officer, develop privacy policies and procedures, and provide staff training to ensure that health information is protected.
  • Written agreement must be in place that provides for appropriate safeguarding of PHI with all "business associates" (unless information is shared for treatment purposes).
  • Business associates perform various functions for the covered entity (law firms, accountants, answering service and accreditation organizations).
  • AAAHC has prepared "business associate" agreement to be used for surveys beginning 4/14/03.

Security provision

  • Compliance date for most entities is April 21, 2005.
  • Security standards apply only to electronically
    protected PHI.
  • The draft security standards contain three parts:
    • Administrative safeguards - comprehensive security policies and procedures
    • Physical safeguards - data integrity, backup, access workstation locality, security training
    • Technical safeguards - security measures against unauthorized access to data
  • Standards establish a minimum threshold for compliance in each of the three categories
  • However, the security standards do not specify particular technology requirements - each organization must assess its own "risk" and develop security measures accordingly
  • Organizations must evaluate their security programs

Unique health identifiers

  • HIPAA requires unique national health identifiers for health care providers and employers.  Health care providers may begin applying for the National Provider Identifier (NPI) on the effective date of the final rule, which is May 23, 2005.  All health care providers are eligible to be assigned NPIs; health care providers who transmit health information electronically are covered entities and therefore required to obtain and use NPIs.  All HIPAA covered entities must use NPIs by the compliance dates (May 23, 2007 for all but small health plans; May 23, 2008 for all small health plans).  HHS also adopted a National Employer Indentification Standard for use in health care transactions, which is the IRS Employer ID.

State laws

  • State laws pertaining to electronic transactions standards are superseded if contrary to HIPAA
  • State laws pertaining to privacy and confidentiality of medical records are saved if they provide more protection than HIPAA (summaries at www.healthprivacy.org)

Examples of red flags

  • Medical records unattended or accessible by unauthorized individuals
  • Patient record can be viewed on computer monitor by other patients or unauthorized staff
  • Discussion of patient condition in open areas - lobby, hallway, elevators
  • Leaving patients telephone messages with health information

Preparing for compliance

  • Identify the transactions sent/received electronically
  • Compare existing formats to those defined for each transaction standard
  • Identify trading partners and vendors that communicate electronically
  • Review existing privacy policies and procedures against HIPAA regulations and state law
  • Appoint staff person responsible for privacy in the organization
  • Adopt privacy and security policies and procedures, including access to electronic health information
  • Conduct staff training and education
  • Execute business associate agreements for vendors with access to PHI and adopt process to respond to violations of agreements
  • Prepare patient authorization form for disclosure of PHI
  • Utilize computer passwords and locking file cabinets
  • Prepare "notice of privacy practices" and establish procedures for obtaining patient acknowledgement
  • Develop a security incident response team and plan
  • Explore potential for clinical information systems and other technology solutions
  • Plan to conduct future assessment of privacy and security procedures