A Summary Of HIPAA Legislation

In the health care business, there are certain standards and laws that have been put in place to protect our patients and their personal health information. When a health care facility fails to protect their patient’s confidential information, the US Government may get involved and facilities may be forced to pay huge sums of money in fines, and risk damaging their reputation.

HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information. In 2013, the HIPAA Omnibus Rule was put in place by HHS to implement modifications to HIPAA in accordance with guidelines set in 2009 by the Health Information Technology for Economic and Clinical Health (HITECH) Act concerning the responsibilities of business associates of covered entities. The omnibus rule also increased penalties for HIPAA compliance violations to a maximum of $1.5 million per incident. HIPAA violations can prove quite costly for healthcare organizations. First, the HIPAA Breach Notification Rule within the omnibus set of regulations requires

Under the HIPAA compliance audit program if a healthcare organization has attested and is later audited and found not to be compliant with HIPAA, the organization could face penalties including giving back the meaningful use incentive money. (Goedert, 2013) provided the following ways to ensure compliance: conduct mock audits, make sure all data within the organization is encrypted, computer access is logged, network security gaps have been filled, policies and regulations have been updated and expanded, and most importantly that all staff complete annual HIPAA training courses with emphasis on privacy and security.

Patient HIPAA agreements – I would review the organization patient HIPAA information release forms to ensure that the form follows the laws and regulations provided by HHS. Covered entities must comply with HIPAA rules requirements protecting the privacy and security of patient’s health information and must provide patients with rights regarding access to their healthcare records.

In 1996, the HIPPA act was passed. Health Insurance Portability and Accountability Act (HIPAA), which was directed to improve the areas in the health field. For instance, lowering the number of errors and mistreatment, for individuals to have the access to transfer health coverage according to their present situation, and most importantly it monitors security and confidentiality information to ensure its being controlled in an accurate manner. This act gives congress ability to govern financial matter such as, federal level funding processes pertaining to different health documentation. Providing quality care while protecting patient’s information is a priority controlled under HIPAA, which accepts collaboration with all state and federal

In 2009 the American Recovery and Reinvestment Act established a civil penalty structure for HIPAA. If the individual did not know that they were violating HIPAA, the penalty would be $100 per violation, including a maximum $ 25,000 per repeat violations. The maximum penalty for violating HIPPA unintentionally is $50,000 with

All healthcare providers, health organizations, and government health plans that use, store, maintain, or transmit patient health care information are required to comply with the privacy regulations of the HIPAA

Like all of the administrative rules, the security rule applies to health plans, health care clearing houses, and to any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA. Health plans include health, dental, vision, and prescription drug insurers, health maintenance organizations, Medicare, Medicaid and Medicare supplement insurers, and long-term care insurers. Health plans also include employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans. Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. Using electronic technology, such as email, does not mean a health care provider is a covered entity; the transmission must be in connection with a standard transaction. The Privacy Rule covers a health care provider whether it electronically transmits these transactions directly or uses a billing service or other third party to do so on its behalf. Health care providers include all providers of services and providers of medical or health services as defined by Medicare, and any other person or organization that furnishes, bills, or is paid for health care.

Currently there are three categories of covered entities which are required to comply with HIPAA, health plans, most health care providers, and health care clearinghouses. With that being said, many organizations that have personal health information are considered non-covered entities and therefore, are not required to comply with HIPAA. Some examples or non-covered entities are, life insurers, employers, worker’s compensation carriers, most schools and school districts, law enforcement agencies, and many state agencies like child protective service agencies. In addition, most medical research companies are not required to comply with HIPAA, yet have access to personal health information.

Ten years ago after much challenges and questionable skepticism, the HIPAA policy became effective and has been shaping healthcare one regulatory policy at a time. The evolution of the HIPAA privacy act helped establish the HIPAA Security Rule which was published in 2003 and became effective in 2005, and then eventually led to the HIPAA Enforcement Rules and the Breach Notification Rule. With it joint fortification of the 2009 HITECH Act and HIPAA’s modifications to regulations, it was released in January 2013 to the industry (American Health Information Management Association, 2013).

HIPAA was put in place to help set standards on protecting a patients personal health information, therefore HIPAA does affect a patient’s access to medical records. A patient can review or obtain a copy of their records by submitting, to the physician (covered entity), a request for such in writing or a medical release form. In which case the covered entity can release a “designated record set” of certain personal

These new provisions affect not only health care providers, health plans and health care clearinghouses, but a wide range of vendors and contractors that provide services to health care organizations. Previously, HIPAA applied only to the use and disclosure of individually identifiable health information (known as "protected health information") by health care providers, health plans, and health care clearinghouses (known collectively as "covered entities"). Vendors providing administrative services to covered entities, such as legal services, accounting, information technology, financial support and similar services, were not directly subject to HIPAA's privacy and security provisions. They were, however, required to sign business associate agreements and thereby agree by contract to maintain the privacy and security of protected health information. Changes made by ARRA, expand the scope and application of HIPAA. Among the most far reaching provisions of ARRA are those that apply several of HIPAA's security and privacy requirements to business associates. In addition, business associates will be subject to civil and criminal penalties and enforcement proceedings for violations of HIPAA. The definition of a business associate is also being expanded to include organizations that provide data transmission of protected health information to covered entities and business associates and that require access on a routine basis to that protected health information. Examples of such organizations include health information exchange

The penalties for violating the rules dictating by HIPAA are complicated because the guidelines are still very broad and the rules are still so new that with each case new standards are being set as to the way violations are being handled. Violation of HIPAA rules can result in civil and criminal consequences. There is case that marked history as the first health care organization to be fined for a HIPAA violation. Cignet Health in Maryland was fined $4.3 million for two violations: failure to provide patients a copy of their medical records within 60 days of a request and failure to cooperate with civil investigators. “HIPAA calls for civil and criminal penalties for privacy and security violations, including: -- fines up to $25K for multiple violations of the same standard in a calendar year -

A violation of HIPAA rule carries fines for breaches ranges between $100 to $50,000 per violation.

"HIPAA doesn?t necessarily prescribe the solutions, but it does require physicians to look at all of the ways that they use and access data today and determine whether that?s reasonable or not." to help you begin your HIPAA compliance process, following are some practical ideas for rethinking how you maintain and use patient information in your office. Appoint one or two staff members (depending on the size of your office) to review the HIPAA act, determine the changes your practice needs to make, and decide if you?ll need outside help. To keep this project manageable, do not wait until the last minute. Remember: most of the healthcare industry will have to be HIPAA compliant by April 14, 2003. Furthermore, compliance is not optional. Those found in violation of the act will be penalized: "Civil penalties range up to $25,000 per violation of each standard. Criminal penalties range up to $250,000 in fines and/or up to 10 years in prison."3