The HIPAA Privacy Rule regulates the use and disclosure of certain information held by "covered entities"
1
"Significant breaks" in coverage
Group health plans may refuse to provide benefits relating to preexisting conditions for a period of 12 months after enrollment in the plan or 18 months in the case of late enrollment.[1] However, individuals may reduce this exclusion period if they had group health plan coverage or health insurance prior to enrolling in the plan. Title I allows individuals to reduce the exclusion period by the amount of time that they had "creditable coverage" prior to enrolling in the plan and after any "significant breaks" in coverage. Title I also limits restrictions that a group health plan can place on benefits for preexisting conditions.
2
The HIPAA Privacy Rule
The HIPAA Privacy Rule regulates the use and disclosure of certain information held by "covered entities" (generally, health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions.)[10] It establishes regulations for the use and disclosure of Protected Health Information (PHI). PHI is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual.[11] This is interpreted rather broadly and includes any part of an individual's medical record or payment history.
3
Not yet taken any enforcement actions against hospitals, doctors, insurers or anyone else for rule violations
An individual who believes that the Privacy Rule is not being upheld can file a complaint with the Department of Health and Human Services Office for Civil Rights (OCR).[22][23] However, according to the Wall Street Journal, the OCR has a long backlog and ignores most complaints. "Complaints of privacy violations have been piling up at the Department of Health and Human Services. Between April 2003 and Nov. 30, the agency fielded 23,896 complaints related to medical-privacy rules, but it has not yet taken any enforcement actions against hospitals, doctors, insurers or anyone else for rule violations. A spokesman for the agency says it has closed three-quarters of the complaints, typically because it found no violation or after it provided informal guidance to the parties involved.
4
The Security Rule
The Security Rule deals specifically with Electronic Protected Health Information (EPHI). It lays out three types of security safeguards required for compliance: administrative, physical, and technical. For each of these types, the Rule identifies various security standards, and for each standard, it names both required and addressable implementation specifications. Required specifications must be adopted and administered as dictated by the Rule.Addressable specifications are more flexible.
5
HIPAA and drug and alcohol rehabilitation organizations
Special considerations for confidentiality are needed for health care organizations that offer federally-funded drug or alcohol rehabilitation services. Predating HIPAA by over a quarter century are the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment and Rehabilitation Act of 1970 and language amended by the Drug Abuse Office and Treatment Act of 1972
6
National standards for electronic health care transactions
The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) required the Department of Health and Human Services (HHS) to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. It also addressed the security and privacy of health data. As the industry adopts these standards for the efficiency and effectiveness of the nation's health care system will improve the use of electronic data interchange. For more information and to view more categories of HIPAA Administrative Simplification, go to the "Related Links Inside CMS".
7
Standards for electronic health information transactions.
Within 18 months of enactment, the Secretary of HHS is required to adopt standards from among those already approved by private standards developing organizations for certain electronic health transactions, including claims, enrollment, eligibility, payment, and coordination of benefits. These standards also must address the security of electronic health information systems.
8
Mandate on providers and health plans, and timetable.
Providers and health plans are required to use the standards for the specified electronic transactions 24 months after they are adopted. Plans and providers may comply directly, or may use a health care clearinghouse. Certain health plans, in particular workers compensation, are not covered.
9
Privacy
The Secretary is required to recommend privacy standards for health information to Congress 12 months after enactment. If Congress does not enact privacy legislation within 3 years of enactment, the Secretary shall promulgate privacy regulations for individually identifiable electronic health information.
10
Pre-emption of State Law.
The bill supersedes state laws, except where the Secretary determines that the State law is necessary to prevent fraud and abuse, to ensure appropriate state regulation of insurance or health plans, addresses controlled substances, or for other purposes. If the Secretary promulgates privacy regulations, those regulations do not pre-empt state laws that impose more stringent requirements. These provisions do not limit a State's ability to require health plan reporting or audits. Penalties. The bill imposes
11
Penalties.
The bill imposes civil money penalties and prison for certain violations.
12
Disclaimer
This information is no substitute for a meeting with a qualified lawyer who can apply the facts of your case to this and other applicable law in your home state to arrive on a meaningful conclusion as to what to do. this guide is not legal advice, your situation almost certainly has unique factors that may change your results.
