HIPAA

Health Insurance Portability and Accountability Act.

Federal health insurance legislation, passed in 1996, which set and maintains standards for access, portability, and renewability that apply to both individual and group coverage.

HIPAA Rules

  1. Privacy Rule: Addresses the saving, accessing and sharing of medical and personal information, including a patient’s right to access that information.
  2. Security Rule: Outlines security standards intended to protect health data created, maintained, transmitted, received or otherwise distributed electronically. Applies at a national level.
  3. Transactions Rule: Specifies transactions and code sets, including CPT-3, CPT-4, NDC, ICD-9, ICD-10 and HCPCS codes. Ensure safety, accuracy and security of medical records and PHI.
  4. Identifiers Rule: Three unique identifiers are specified for covered entities: NPI, the National Provider Identifier, a ten digit number for healthcare providers; NHI, the National Health Plan Identifier, to identify health plans and payers; and the Standard Unique Employer Identifier, the federal EIN which identifies an employer identity.
  5. Enforcement Rule: Derived from HITECH provision for violations on or after the established compliance date (02.18.2015). Expands rules under Privacy and Security, increases violation penalties and covers five main areas:HIPAA security and privacy requirements
    Mandatory federal privacy and breach reporting requirements
    Creation of new privacy requirements along with accounting disclosure agreements and sales and marketing restrictions
    New criminal and civil penalties and enforcement methods for non-compliance
    Inclusion of security requirements in all business associate contracts

Final Omnibus Rule

Updated the Security Rule and the Breach Notifications portion of the HITECH Act in January 2013. Expanded requirements to include business associates in addition to covered entities. Updated definition of ‘significant harm’ during breach analysis: organizations must now prove that harm has not occurred, rather than that harm has occurred. PHI protection modified to fifty (50) years after patient death, rather than indefinite; penalties for PHI privacy violations made more severe.

HITECH

Health Information Technology for Economic and Clinical Health
Contained within the ARRA (American Recovery and Reinvestment Act) of 2009. Included incentives for private practice physicians and institutional practice organizations to implement the use of electronic medial records. Additionally introduced a series of fines to enforce the HIPAA rules, primarily rules two and four. Further mandated that business associates, in addition to covered entities, were responsible for maintenance of HIPAA compliance levels.

HHS

United States Department of Health and Human Services
Responsible for protecting and enhancing public well-being and health. Provides health and human services, fosters advances in medicine, public health and social services.

OCR

Office for Civil Rights
A division of HHS. Responsible for protecting health information privacy and nondiscrimination rights.

Covered Entity

Anyone who provides treatment, payment and operations in healthcare (i.e., medical or dental office, clinic, psychologist, rehabilitation facility, nursing home, hospital, pharmacy or home healthcare agency). This extends to include health plans, health insurance companies, HMOs, company health plans and government programs that pay for health care. Under this definition, health clearing houses are also considered covered entities.

Business Associate

Anyone who has access to patient information either directly, indirectly, physically or virtually. Any organization providing support in treatment, payment or operations (i.e., Information Technology partner or claims processing company). Other examples include a telephone service provider, Internet service provider, document destruction company, lawyer or accountant. Business associates have the responsibility to achieve and maintain HIPAA compliance related to internal, administrative and technical safeguards. A business associate does not work under a covered entity’s workforce, but performs services on their a behalf of a covered entity.

Business Associate Agreement

A standard agreement document which clearly defines the roles and responsibilities of a business associate and the covered entity; additionally provides assurance that associate will take proper steps to implement the administrative, physical and technical safeguards as related to the services performed on behalf of the covered entity.

Health Information
Any patient information collected by a health care provider, health plan provider, public health authority, employer, healthcare clearinghouse or any other organization that falls under the definition of a covered entity.

PHI
Protected Health Information
Includes all individually identifiable health information in any format.

ePHI

Electronic Protected Health Information
Any and all individually identifiable health information that is created, maintained, transmitted or otherwise distributed electronically, including but not limited to email, database and other electronic forms.

EHR

Electronic Health Records
Any electronic record of patient health information created by or within a clinical environment or institution, including but not limited to a doctor’s office or hospital. Could include laboratory results, medical history, demographics, immunizations, etc.

EDI

Electronic Data Interchange
The exchange or communication of business materials between organizations using electronic means.

HIPAA Audit

An analysis that identifies an organization’s current state and the steps required to reach compliance. Includes an internal evaluation, renewed annually at minimum; new components are evaluated as introduced, then added to ongoing evaluations. Both covered entities and business associates must comply: for instance, a cloud-based EMR application provided by a third party to a covered entity or entities.

HIPAA Violations

A company that does not comply with HIPAA rules becomes subject to both criminal and civil penalties. There are three main types of violations:

  • Due Diligence: Covers cases in which an organization is in violation, but has taken all possible steps to prevent the violation.
  • Willful Neglect: There are two types of willful neglect covered under the enforcement codes of HITECH.The first is used when an organization clearly ignores HIPAA law, but corrects the violation within the time provided by HHS.
    The second is used when an organization fails to remediate the violation in the time period specified, with greater penalty amounts per violation and a higher maximum penalty amount.
  • Reasonable Cause: A covered entity or business associate as taken some of the required steps toward HIPAA compliance but failed to address some required component. For instance, a company which completes a HIPAA audit and identifies a gap, but which then fails to complete the required steps to fill that gap, falls into the reasonable cause category, rather than the willful neglect category.