The Health Insurance Portability and Accountability Act (HIPAA) is a legislative act that was passed in 1996. Several years later, administrative rules were published and continue to be updated to address transaction codes, information privacy, security, and breach notification.
Who Must Comply with HIPAA?The HIPAA Privacy and Security Rules (and the more recent Breach Notification Rule) contain administrative, technical and physical safeguards for the protection of certain patient information called "Protected Health Information" or PHI. These rules apply to all "covered entities". Covered entities generally include all healthcare plans, healthcare providers who transmit health care information in electronic form (using a standard transaction), and healthcare clearinghouses (including billing companies). The regulations refer to these groups as "covered entities." However, the HITECH Act expanded the reach of these HIPAA rules to "business associates" of these covered entities. Business associates are contractors or vendors who perform certain tasks for the covered entities that require access to PHI.
What Kind of Information Does HIPAA Protect?The Privacy Rule defines PHI as "individually identifiable health information" that transmits to any format. All information pertaining to an individual and held by a covered entity is generally considered "protected health information". The only exception happens when it becomes "de-identified" pursuant to specific procedures outlined int the regulations. The Security Rule governs "electronic protected health information" and requires covered entities to ensure the confidentiality, integrity, and availability of all PHI that is created, received, maintained or transmitted by the covered entity in the electronic form.
What Rights Do Individuals Have Under HIPAA?In general, the HIPAA Privacy Rule gives individuals the right to request a restriction. This restriction applies to uses and disclosures of their protected health information. The individual receives also the right to request confidential communications or that a communication of protected health information comes by alternative means, such as sending correspondence to the individual's office instead of the individual's home. With limited exceptions, individuals also have the right to inspect and obtain a copy of their own protected health information and to request amendments of their protected health information. Individuals may also request an accounting of most disclosures the covered entity made of their PHI. Finally, individuals have the right to receive the covered entity's Notice of Privacy Practices.
What Do Covered Entities Need To Do In Order Comply With The HIPAA Rules?Examples of the issues that covered entities will need to address in order to comply with the Privacy Rule include:
- appointment of a privacy officer and contact person to receive complaints
- development of consent
- notice and authorization form for patients
- development of numerous required privacy policies and procedures
- drafting of agreements with all business associates
- training of staff on privacy issues
What Does The HIPAA Security Rule Require?The rule requires covered entities to conduct a risk analysis to identify any risks to electronic protected health information and to address such risks. In general, covered entities are also required to implement administrative procedures, physical safeguards, and technical security services to guard the integrity, confidentiality, and availability of patient data. The HIPAA Security Rule also requires covered entities to implement technical security mechanisms to prevent unauthorized access to patient data.