HIPAA Regulations

HIPAA… What is it and how does it affect me?

This is a “Must Read” section!

On August 14, 2004 the Department of Health and Human Services published final modifications to the Medical Privacy Rule. The Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) took effect on April 14, 2001. The Privacy Rule creates national standards to protect individuals’ personal health information and gives patients increased access to their medical records. As required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Privacy Rule covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions electronically. The privacy rule regulates how these “covered entities” may use and disclose identifiable health information for routine (e.g., treatment, payment) and non-routine (e.g., research, marketing) purposes. Most covered entities must comply with the Privacy Rule by April 14, 2003. Small health plans have until April 14, 2004 to comply with the Rule.

The HIPAA Privacy rule establishes standards to protect the confidentiality of individually identifiable health information maintained or transmitted electronically in connection with certain administrative & financial transactions. The rule provides new rights for individuals with respect to protected health information about them & mandates the obligations of health care providers, health plans, & health care clearinghouses. Training of every staff member on the new rights & new policies & procedures as they apply to the healthcare operation is also required. The compliance date for privacy is April 14, 2003. http://www.hipaa.org

Individually Identifiable Health Information: Under HIPAA, this information is a subset of health information, including demographic information collected from an individual and 1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and 2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to and individual; and that identifies the individual; or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Protected Health Information: Under HIPAA, this means individually identifiable health information that is transmitted by electronic media, maintained in any medium described in the definition of electronic medical or transmitted or maintained in any other form or medium. Protected health information excludes individually identifiable health information in education records covered by the Family Educational Right and Privacy Act, as amended, 20 U.S.S. 1232g; and Records described at 20 U.S.S. 1232g(a)(4)(B)(iv).

Business Associate: A person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity’s workforce. A business also can be a covered entity under HIPAA in its own right.

Business Associate or Not a Business Associate? The regulations lay out two tests for whether a contracted business is a business associate: (1) does the business perform or assist in the performance of an activity or function involving the use or disclosure of protected health information? or (2) Does the business provide legal services, actuarial services, accounting services, consulting services, data aggregation services, management services, administrative services, accreditation services, or financial services that require the disclosure of PHI from the physician? If the answer to either of these questions is “yes,” then a business associate agreement will be needed.

Business Associate Agreements (§164.502) This regulation impacts medical records procedures when the practice outsources certain functions. In many practices, coding, transcription, billing, and even release of information are contracted out to specialty companies. The practice already contracts with these entities, so each contract will need to be reviewed for compliance with HIPAA.

HIPAA requires that a covered entity may disclose PHI to a business associate and may allow a business associate to create or receive PHI on its behalf, if it obtains satisfactory assurance that the business associate will appropriately safeguard the information.

Training (§164.530) The practice must train all members of its workforce on PHI policies and procedures no later than April 14, 2003. Thereafter, your office must train new employees within a reasonable period of time after they join the practice.

All training must be documented. Moreover, the practice must have and apply appropriate sanctions against employees who fail to comply with privacy policies and procedures. Keep in mind, however, that an employer may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for filing a complaint of non-compliance with the Privacy Standards.