We all recognize there are certainties in life. What all health care workers must realize is that the Health Insurance Portability and Accountability Act (HIPAA) is, indeed, one of those nagging certainties that simply cannot be ignored. Full compliance with HIPAA is not just a good idea — it’s federal law.
While there are many facets of HIPAA, including matters of public health, research, emergency preparedness, health information technology, and genetic information, the focus of this article is to examine who needs to comply with HIPAA, two of the main components of HIPAA, their effects on a typical medical practice, and the consequences of noncompliance.
According to the Department of Health and Human Services (HHS), HIPAA governs two main groups: “Covered Entities” and “Business Associates.” Covered Entities include providers that transmit information in an electronic form in connection with a transaction for which HHS has adopted a standard. A Business Associate is any Consultant or Sub-Contractor utilized by a Covered Entity that has access to Protected Health Information (PHI). PHI is any information held by a Covered Entity that concerns health status, provision of health care, or payment for health care that can be linked to an individual.
Title II of HIPAA defines policies, procedures, and guidelines for maintaining the privacy andsecurity of individually identifiable health information, outlines offenses relating to health care, and sets civil and criminal penalties for violations.
The goal of the HIPAA Privacy Rule is to provide patients with access to their medical records and put in place controls over how their PHI is used and disclosed. Compliance with the standards was required as of April 14, 2003 for most entities covered by HIPAA with a one-year extension for certain “small plans.”
Some elements of the Privacy Rule include:
- Covered Entities required to notify individuals of uses of their PHI.
- Covered Entities may disclose PHI to law enforcement officials as required by law.
- Individuals have the right to request that inaccurate PHI be corrected.
The HIPAA Security Rule establishes national standards for the security of electronic PHI (or EPHI). While the Privacy Rule pertains to all PHI, including paper and electronic, the Security Rule deals specifically with EPHI. A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing Covered Entities to adopt new technologies to improve the quality and efficiency of patient care.
According to HHS, since April of 2003 more than 97,000 HIPAA complaints have been filed. Approximately 95 percent of those complaints have been resolved. The compliance issue investigated most is impermissible use and disclosures of PHI, and the most common type of Covered Entity involved in the private practice sector.
Some concerns can be resolved quite simply. For example, a staff member may improperly disseminate PHI by discussing test results in the lobby, or by having a computer screen positioned in a way that allows unauthorized viewing of PHI. For these examples, new policies and protocols can be developed, and staff training can be implemented.
Other resolutions are more complex. The American Recovery and Reinvestment Act of 2009 (ARRA) established a tiered civil penalty structure and criminal liabilities for HIPAA violations. Additionally, HHS will conduct periodic audits of Covered Entities and Business Associates to ensure compliance. So, whether you are a Covered Entity or a Business Associate, HIPAA compliance is not just a good idea, it’s the law.
WANT MORE HIPAA COMPLIANCE RESOURCES? Get our free HIPAA Compliance Action Guide, filled with step-by-step advice and a helpful checklist for ensuring your practice stays compliant. Download the HIPAA Compliance Action Guide.
If you have questions about this article, please contact us. This information should not be considered legal advice applicable to a specific situation. Legal guidance for individual matters should be obtained from a retained attorney.