The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to address several major health care issues, including:
In 1996, HIPAA required insurance companies to accept new applicants if they were currently covered by another insurer, with few exceptions. Health Insurance Portability enabled workers to change jobs and be assured that they would be covered by their new employer's health plan. COBRA was implemented enabling people leaving a job to continue their health insurance for 18 months by paying for it themselves.
Administrative Simplification established a single national standard for billing codes, reducing confusion and denials, and speeding up payments for patient care.
In 2003, the HIPAA Privacy Rule defined Protected Health Information (PHI) as any identifiable record (in any form—written, verbal, or electronic) that included treatment or diagnostic information. Patients were required to receive Notice of Privacy Practices (NPP) from their providers and health plans. Patients were given the right to limit certain access and release of their medical information. Reception areas and pharmacy counters were modified to prevent patients from overhearing confidential information. HIPAA defined 'Covered Entities' as health care providers that bill electronically, payers, and clearinghouses that process data. 'Business Associates' are people or entities that have access to PHI in the course of their work, but are not Covered Entities. Covered Entities were liable for financial penalties for violations. Criminal penalties would be pursued for the unauthorized release of PHI for harm or personal gain.
In 2005, the HIPAA Security Rule provided a framework to protect electronic Protected Health Information (ePHI) stored in computer systems. This rule required written policies and procedures, workforce training, technical systems, and physical barriers to prevent the unauthorized access of patient data. The Security Rule is broken down into Administrative, Physical, and Technical Safeguards; Standards, and Implementation Specifications. The Standards and Implementation Specifications are vague to ensure they are flexible enough for providers and payers of all sizes. Some items are required and others Addressable, meaning a Covered Entity have the option of providing an alternate means to achieve the same goal. (Addressable does not mean Optional.)
In 2009, the HITECH Act made significant changes to HIPAA. The data breach law was modified. Business Associates must comply with HIPAA as if they are Covered Entities. Enforcement, which had been lacking, was funded and performance incentives were given to the US Department of Health and Human Services Office for Civil Rights. State attorneys general were given authority to enforce the HIPAA civil penalties. These changes were part of a federal 'stimulus' financial package that included incenting doctors and hospitals to adopt Electronic Health Record (EHR) systems with a $ 36 billion funding program. These changes were introduced in a temporary Interim Rule waiting for the Final Rule to be published.
In 2012, unprecedented penalties were assessed for HIPAA violations. A small medical practice paid $ 100,000 for using an unsecured online e-mail system for sending patient information, and for using an online calendar to track patient appointments. A hospital was fined $ 1.5 million when a doctor's laptop that contained unencrypted patient records was stolen. A state health department was fined $ 1.7 million when a hard drive was stolen.
In January, 2013, the HIPAA Omnibus Final Rule was published, providing specific requirements and deadlines to comply with the requirements of the HITECH Act of 2009. The Interim Rule was modified with changes to the data breach reporting requirements; Business Associates were not only made responsible for their own compliance and direct liability for data breaches, but are also required to ensure that any subcontractors also are compliant. Another change states that any organization that 'maintains' (stores) PHI or ePHI is a Business Associate, even if they never look at the data. The deadline for compliance with most requirements of the Final Rule is September 23, 2013.
Solutions, Tools, and Products
Find and select IT Professionals that can provide guidance to EMR relevant products and services, create IT assessments, provide IT infrastructure, install computer technology as well as maintain and support all of your practice technology.
Related Terms and Acronyms
HITECHAnswers and 4Medapproved partner to bring you the latest
information and guidelines regarding HITECH and Meaningful Use!
To learn more about 4Med+ HIPAA Consulting Services, click here.
Fore more information about 4Medapproved training courses, including HIPAA training, click here.
Last Updated: March 29, 2013