Are you like a lot of other practices that are trying to figure out what HIPAA really is and how to be compliant? Or, are you just looking to avoid fines for non-compliance?
If you answered yes to one of those questions, you definitely want to continue reading.
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to address several major healthcare issues, including:
- Health insurers denying new applicants because of pre-existing conditions and medical histories. This made it difficult for those people that wanted to change jobs and maintain health insurance.
- Each insurance company used to maintain its own list of treatment billing codes, making it confusing for providers and resulting in denials and payment delays. Could you imagine if each insurance company all had different codes for the exact same procedure?
- Providers and payers had control of medical records, and patients had no protection against the unauthorized release of their personal information.
In 1996, HIPAA required insurance companies to accept new applicants if they were currently covered by another insurer, with few exceptions. Health Insurance Portability enabled workers to change jobs and be assured that they would be covered by their new employer’s health plan. Administrative Simplification established a single national standard for billing codes, reducing confusion and denials, and speeding up payments for patient care.
In 2003, the HIPAA Privacy Rule defined Protected Health Information (PHI) as any identifiable record (in any form—written, verbal, or electronic) that included treatment or diagnostic information. Patients were required to receive Notice of Privacy Practices (NPP) from their providers and health plans. Patients were given the right to limit certain access and release of their medical information. Reception areas and pharmacy counters were modified to prevent patients from overhearing confidential information. HIPAA defined ‘Covered Entities’ as health care providers that bill electronically, payers, and clearinghouses that process data. ‘Business Associates’ are people or entities that have access to PHI in the course of their work, but are not Covered Entities. Covered Entities were liable for financial penalties for violations. Criminal penalties would be pursued for the unauthorized release of PHI for harm or personal gain.
In 2005, the HIPAA Security Rule provided a framework to protect electronic Protected Health Information (ePHI) stored in computer systems. This rule required written policies and procedures, workforce training, technical systems, and physical barriers to prevent the unauthorized access of patient data. The Security Rule is broken down into Administrative, Physical, and Technical Safeguards; Standards, and Implementation Specifications. The Standards and Implementation Specifications are vague to ensure they are flexible enough for providers and payers of all sizes. Some items are required and others Addressable, meaning a Covered Entity may have the option of providing an alternate means to achieve the same goal. Addressable, however, does not mean optional.
In 2009, the HITECH Act made significant changes to HIPAA. The data breach law was modified. Business Associates must comply with HIPAA largely as if they are Covered Entities. Enforcement, which had been lacking, was funded and performance incentives were given to the US Department of Health and Human Services and Office for Civil Rights. State attorneys general were given authority to enforce the HIPAA civil penalties. These changes were part of a federal ‘stimulus’ financial package that included incentivizing doctors and hospitals to adopt Electronic Health Record (EHR) systems with a $36 billion funding program. These changes were introduced in a temporary Interim Rule waiting for the Final Rule to be published.
In 2012, unprecedented penalties were assessed for HIPAA violations. A small medical practice paid $100,000 for using an unsecured online e-mail system for sending patient information, and for using an online calendar to track patient appointments. A hospital was fined $1.5 million when a doctor’s laptop that contained unencrypted patient records was stolen. A state health department was fined $1.7 million when an unencrypted hard drive was stolen.
In January, 2013, the HIPAA Omnibus Final Rule was published, providing specific requirements and deadlines to comply with the requirements of the HITECH Act of 2009. The Interim Rule was modified with changes to the data breach reporting requirements; Business Associates were not only made responsible for their own compliance and direct liability for data breaches, but were also required to ensure that any subcontractors also were compliant. The deadline for compliance with most requirements of the Final Rule was September 23, 2013.
The author, Matt LaMaster, is the Founder and Principal Attorney of The LaMaster Law Firm, PLLC, a boutique style law firm committed to delivering legal services to dental practices, chiropractors, and healthcare facilities.
For more information about Matt LaMaster, The LaMaster Law Firm, PLLC, and HIPAA compliance, visit www.lamasterlaw.com.