By the time you read this article, you should be aware of the Federal Regulation changes that apply to “Covered Entities.” These changes strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Here is a brief summary of the Final Rule:
• Many requirements have been expanded to Business Associates of the Covered Entities receiving protected health information, such as contractors and subcontractors. Business Associates have up to one year after the 180-day compliance date to modify contracts to comply with the rule.
• Penalties have increased for non-compliance based on the level of negligence with a maximum penalty of $1.5 million per violation.
• Breach Notification requirements have been strengthened by clarifying when breaches of unsecured health information must be reported to the Department of Health and Human Services.
• Individual rights have expanded in two important ways:
o Patients can ask for a copy of their electronic medical record in an electronic form.
o Individuals paying by cash can instruct their provider not to share information about their treatment with their health plan.
• New limits have been set regarding how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.
• Reduces burden by streamlining individuals’ ability to authorize the use of their health information for research purposes.
• The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school.
• Genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.
Does HIPAA apply to my office?
If not done so already, you are highly encouraged to perform your due diligence in determining your answer. According to HIPAA, as outlined in the Code of Federal Regulations 45 CFR §160.103, a “health care provider” that conducts certain transactions electronically is considered a “covered entity” and must comply with HIPAA. A transaction is defined as “the transmission of information between two parties to carry out financial or administrative activities related to health care.” Common transactions include communications regarding billing, payment, coordination of benefits, enrollment and disenrollment, and eligibility.
I utilize a billing service; does that mean my office does not have to comply with HIPAA?
No. A “health care provider” as described above, includes “any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.” This means health care providers that conduct any standard transaction electronically, or use a third party to do so (like a billing entity) are subject to the administrative simplification rules. Standard transactions include communication regarding billing, payment, coordination of benefits, enrollment and disenrollment, and eligibility.
What is Administrative Simplification?
This is a provision within HIPAA that is intended to reduce health care costs through electronic data interchange (EDI), standardizing electronic processing and improving the communication within the health care industry. This provision addresses electronic transaction standards, privacy and security standards as well as unique identifiers (like NPI numbers).
Does HIPAA apply only to electronic data?
No, not if you are considered a “covered entity” under HIPAA. Once a “health care provider” has conducted a covered transaction electronically, then the provider is considered a covered entity and the HIPAA administrative simplification requirements apply to all activities of the provider. The Privacy standards apply to “individually identifiable health information” transmitted or maintained in any form, which includes oral, written, electronic or otherwise. The Security standards apply specifically to electronic PHI.
What information is protected?
Administrative Simplification generally applies to Protected Health Information, commonly referred to as PHI. PHI is information that makes it possible to identify an individual and any provision or payment of past, present or future medical care or condition. It’s important to know that information can be PHI even without medical references, such as diagnosis or treatment information. Examples include demographic information such as name, address, phone number and social security number.
In summary, it is your responsibility, as providers of health care, to assure your office has safeguards in place to assure the privacy and security of your patients’ health information. This article in no way serves as legal advice. As with any State or Federal regulation, your due diligence in assessing your compliance is critical.