The law known as “HIPAA” stands for the Health Insurance Portability and Accountability Act of 1996. Congress passed this landmark law to provide consumers with greater access to health care insurance, to protect the privacy of health care data, and to promote more standardization and efficiency in the health care industry. While HIPAA covers a
number of important health care issues, this informational series focuses on the Administrative Simplification portion of the law – specifically HIPAA’s Electronic Transactions and Code Sets requirements. There are four parts to HIPAA’s Administrative Simplification: HIPAA and researchThe HIPAA Privacy Rule contains provisions that apply to research involving the use or disclosure of Protected Health Information (PHI). PHI is health information that is individually identifiable. PHI may be used for research through several mechanisms - read more about HIPAA and research HIPAA outside resourcesIntroductionThe Health Insurance Portability and Accountability Act of 1996 (HIPAA; Kennedy–Kassebaum Act, or Kassebaum–Kennedy Act) consists of 5 Titles.[1][2][3][4][5]
Questions To Consider Why was the Health Insurance Portability and Accountability Act (HIPAA) established?
Whom does HIPAA cover?
What are basic HIPAA goals?
What health information is protected?
Differentiate between HIPAA privacy rules, use, and disclosure of information?
What are the legal exceptions when health care professionals can breach confidentiality without permission?
What types of data does HIPAA protect?
What types of electronic devices must facility security systems protect?
What is the job of a HIPAA security officer?
What does a security risk assessment entail?
What are physical safeguards?
What type of employee training for HIPAA is necessary?
What type of reminder policies should be in place?
How should a sanctions policy for HIPAA violations be written?
What discussions regarding patient information may be conducted in public locations?
How do you protect electronic information?
How do you ensure password protection?
How do you select a safe password?
FunctionWhat is the function of HIPAA? In passing the law for HIPAA, Congress required the establishment of Federal standards to guarantee electronic protected health information security to ensure confidentiality, integrity, and availability of health information that ensure the protection of individual’s health information while also granting access for health care providers, clearinghouses, and health plans for continued medical care. [6][7][8][9][10]
Issues of ConcernThere are 5 HIPAA sections of the act, known as titles.[11][12][13][14] Title I: Focus on Health Care Access, Portability, and Renewability
Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform
HHS initiated 5 rules to enforce Administrative Simplification: (1) Privacy Rule, (2) Transactions and Code Sets Rule, (3) Security Rule, (4) Unique Identifiers Rule, and (5) Enforcement Rule. Privacy Rule The HIPAA Privacy Rule regulates the use and disclosure of protected health information (PHI) by "covered entities." These entities include health care clearinghouses, health insurers, employer-sponsored health plans, and medical providers. Upon request, covered entities must disclose PHI to an individual within 30 days. Entities mentioned earlier must provide and disclose PHI as required by law enforcement for the investigation of suspected child abuse.
2013 Omnibus Rule Update
Right to Access The Privacy Rule requires medical providers to give individuals PHI access when an individual requests information in writing. A provider has 30 days to provide a copy of the information to the individual. An individual may request the information in electronic form or hard copy.
Relative Disclosure Hospitals may not reveal information over the phone to relatives of admitted patients.
Transactions and Code Sets Rule HIPAA was created to improve health care system efficiency by standardizing health care transactions. HIPAA added a new Part C titled "Administrative Simplification" that simplifies healthcare transactions by requiring health plans to standardize health care transactions.
Security Rule The Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all Protected Health Information, the Security Rule is limited to Electronic Protected Health Information. It lays out 3 types of security safeguards: administrative, physical, and technical. Administrative Safeguards Policies and procedures are designed to show clearly how the entity will comply with the act.
Physical Safeguards
Technical Safeguards Technical safeguards include controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks.
Unique Identifiers Rule (National Provider Identifier, NPI) HIPAA-covered entities such as providers completing electronic transactions, healthcare clearinghouses, and large health plans must use only the National Provider Identifier (NPI) to identify covered healthcare providers in standard transactions. The NPI replaces all other identifiers used by health plans, Medicare, Medicaid, and other government programs. The NPI does not replace a provider's DEA number, state license number, or tax identification number. The NPI is 10 digits (may be alphanumeric), with the last digit a checksum. The NPI cannot contain any embedded intelligence; the NPI is a number that does not itself have any additional meaning. The NPI is unique and national, never re-used, and except for institutions, a provider usually can have only one. An institution may obtain multiple NPIs for different "sub-parts" such as a free-standing surgery or wound care center. Enforcement Rule
According to the HHS, the following issues have been reported according to frequency:
The most common entities required to take corrective action according to HHS are listed below by frequency:
Title III: Tax-related health provisions governing medical savings accounts
Title IV: Application and enforcement of group health insurance requirements Title IV specifies conditions for group health plans regarding coverage of persons with pre-existing conditions and modifies continuation of coverage requirements. It clarifies continuation coverage requirements and includes COBRA clarification. Title V: Revenue offset governing tax deductions for employers
Clinical SignificanceHIPAA Privacy and Security Rules have substantially changed the way medical institutions and health providers function. The complex legalities and severe civil and financial penalties, as well as the increase in paperwork and implementation costs, have substantially impacted health care. All health professionals must be trained in HIPAA and have an understanding of the potential pitfalls and acts that can lead to a violation.[15][16][17][18][19] Clinical Care Effects HIPAA, combined with stiff penalties for violation, may result in medical centers and practices withholding life-saving information from those who may have a right to it and need it at a crucial moment. Through the HIPAA Privacy Rule, the US Government Accountability Office found that health care providers were "uncertain about their legal privacy responsibilities and often responded with an overly guarded approach to disclosing information. Ultimately, the solution is the education of all healthcare professionals and their support staff so that they have a full appreciation of when protected health information can be legally released. Education and Training Effects Education and training of healthcare providers and students are needed to implement HIPAA Privacy and Security Acts. Effective training and education must describe the regulatory background and purpose of HIPAA and provide a review of the principles and key provisions of the Privacy Rule. Research Effects HIPAA restrictions on research have affected the ability to perform chart-based retrospective research. This has made it challenging to evaluate patients prospectively for follow-up.
Many researchers believe that the HIPAA privacy laws have a negative impact on the cost and quality of medical research. Costs HIPAA Privacy and Security Acts require all medical centers and medical practices to get into and stay in compliance. The costs of developing and revamping systems and practices and an increase in paperwork and staff education time have impacted the finances of medical centers and practices at a time when insurance companies and Medicare reimbursements have decreased. Ultimately, the cost of violating the statutes is so substantial, that scarce resources must be devoted to making sure an institution is compliant, and its employees understand the statutory rules. Conclusions HIPAA is a potential minefield of violations that almost any medical professional can commit. Staff with less education and understanding can easily violate these rules during the normal course of work. While a small percentage of criminal violations involve personal gain or nosy behavior, most violations are momentary lapses that result in costly mistakes. Writing an incorrect address, phone number, email, or text on a form or expressing protected information aloud can jeopardize a practice. HIPAA education and training is crucial, as well as designing and maintaining systems that minimize human mistakes. Other IssuesViolations of HIPAA Civil
Criminal
The US Department of Health and Human Services Office for Civil Rights has received over 100,000 complaints of HIPAA violations, many resulting in civil and criminal prosecution. Examples of HIPAA violations and breaches include:
Review QuestionsReferences1.Tariq RA, Hackert PB. StatPearls [Internet]. StatPearls Publishing; Treasure Island (FL): Oct 7, 2021. Patient Confidentiality. [PubMed: 30137825] 2.Mermelstein HT, Wallack JJ. Confidentiality in the age of HIPAA: a challenge for psychosomatic medicine. Psychosomatics. 2008 Mar-Apr;49(2):97-103. [PubMed: 18354061] 3.Kessler SR, Pindek S, Kleinman G, Andel SA, Spector PE. Information security climate and the assessment of information security risk among healthcare employees. Health Informatics J. 2020 Mar;26(1):461-473. [PubMed: 30866704] 4.Iyiewuare PO, Coulter ID, Whitley MD, Herman PM. Researching the Appropriateness of Care in the Complementary and Integrative Health Professions Part 2: What Every Researcher and Practitioner Should Know About the Health Insurance Portability and Accountability Act and Practice-based Research in the United States. J Manipulative Physiol Ther. 2018 Nov - Dec;41(9):807-813. [PMC free article: PMC6684225] [PubMed: 30755332] 5.Liu X, Sutton PR, McKenna R, Sinanan MN, Fellner BJ, Leu MG, Ewell C. Evaluation of Secure Messaging Applications for a Health Care System: A Case Study. Appl Clin Inform. 2019 Jan;10(1):140-150. [PMC free article: PMC6393161] [PubMed: 30812040] 6.Berry MD., Thomson Reuters Accelus. Healthcare Reform. Enforcement and Compliance. Issue Brief Health Policy Track Serv. 2018 Dec 24;2018:1-38. [PubMed: 30681783] 7.Berry MD., Thomson Reuters Accelus. Business of Health. Business of Healthcare. Issue Brief Health Policy Track Serv. 2018 Dec 24;2018:1-60. [PubMed: 30681304] 8.Lam JS, Simpson BK, Lau FH. Health Insurance Portability and Accountability Act Noncompliance in Patient Photograph Management in Plastic Surgery. Ann Plast Surg. 2019 May;82(5):486-492. [PubMed: 30648996] 9.Reynolds RA, Stack LB, Bonfield CM. Medical photography with a mobile phone: useful techniques, and what neurosurgeons need to know about HIPAA compliance. J Neurosurg. 2019 Jan 04;132(1):260-264. [PubMed: 30611147] 10.Kels CG, Kels LH. Potential Harms of HIPAA. JAMA. 2018 Dec 11;320(22):2378-2379. [PubMed: 30535213] 11.Mattioli M. Security Incidents Targeting Your Medical Practice. MD Advis. 2018 Summer;11(2):4-10. [PubMed: 30570893] 12.Baker FX, Merz JF. What gives them the right? Legal privilege and waivers of consent for research. Clin Trials. 2018 Dec;15(6):579-586. [PubMed: 30280910] 13.Sims MH, Hodges Shaw M, Gilbertson S, Storch J, Halterman MW. Legal and ethical issues surrounding the use of crowdsourcing among healthcare providers. Health Informatics J. 2019 Dec;25(4):1618-1630. [PubMed: 30192688] 14.Kloss LL, Brodnik MS, Rinehart-Thompson LA. Access and Disclosure of Personal Health Information: A Challenging Privacy Landscape in 2016-2018. Yearb Med Inform. 2018 Aug;27(1):60-66. [PMC free article: PMC6115206] [PubMed: 30157506] 15.Bradley D. HIPAA compliance efforts. Pediatr Emerg Care. 2004 Jan;20(1):68-70. [PubMed: 14716172] 16.Butler M. Top HITECH-HIPPA compliance obstacles emerge. J AHIMA. 2014 Apr;85(4):20-4; quiz 25. [PubMed: 24834549] 17.White JM. HIPPA compliance for vendors and suppliers. J Healthc Prot Manage. 2014;30(1):91-7. [PubMed: 24707761] 18.McMahon EB, Lee-Huber T. HIPPA privacy regulations: practical information for physicians. Pain Physician. 2001 Jul;4(3):280-4. [PubMed: 16900255] 19.Bilimoria NM. HIPPA security rule compliance for physicians: better late than never. J Med Pract Manage. 2005 Jul-Aug;21(1):39-42. [PubMed: 16206804] What are the 5 provisions of the HIPAA privacy Rule?HHS initiated 5 rules to enforce Administrative Simplification: (1) Privacy Rule, (2) Transactions and Code Sets Rule, (3) Security Rule, (4) Unique Identifiers Rule, and (5) Enforcement Rule.
What is the key principle of the HIPAA privacy Rule?The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information "protected health information (PHI)."
What are the four basic parts of the HIPAA privacy Rule?There are four key aspects of HIPAA that directly concern patients. They are the privacy of health data, security of health data, notifications of healthcare data breaches, and patient rights over their own healthcare data.
Which of the following is not a requirement of the HIPAA privacy standards?Question 2 - The requirements of HIPAA Privacy include all of the following EXCEPT: Answer: Putting firewalls on all internet connections.
|