HIPAA is the acronym for the Health Insurance Portability and Accountability
Act. Although HIPAA covers many things, physicians typically are most concerned
with HIPAA’s Administrative Simplification provisions, and particularly the
Privacy, Security and Breach Notification requirements. Since it was originally
enacted, HIPAA has been amended and expanded several times as a result of new
laws and regulations. The most sweeping change resulted from the Health
Information Technology for Economic and Clinical Health Act (HITECH), enacted
as part of the American Recovery and Reinvestment Act of 2009 (ARRA).
This toolkit provides an overview of the HIPAA Privacy, Security and Breach
Notification Rules with which almost all physicians must comply. At their core,
these rules simply implement longstanding physician commitments to protect the
confidentiality of their patients’ medical information and maintain open
physician-patient communications. However, the specificity of the requirements
goes well beyond traditional, self-evident obligations, and violations can
result in serious penalties. Thus, physicians need to understand these rules
and participate in a formal compliance plan designed to ensure all the requirements
are met. Physicians should also note that HIPAA is considered a “floor,”
meaning, states may have requirements that go above and beyond what the federal
government requires. This toolkit is focused on the federal mandates.
In a nutshell, these three core compliance areas include:
1. The Privacy Rule
The Privacy Rule restricts covered entities’ and business associates’ use and
disclosure of an individual’s "protected health information" (PHI).
Physicians who transmit PHI electronically in a HIPAA Standard Transaction,
such as by filing electronic claims or checking eligibility electronically even
if they are using a third party such as a billing service or a clearinghouse,
are “covered entities,” and bound by HIPAA. “Business associates” include
those persons and companies that physicians hire to help their practice and
that have access to their patients’ PHI, such as billing services, attorneys,
accountants and consultants. "Protected health information" means
individually identifiable information that is held or transmitted by a covered
entity or business associate in any form or media—whether electronic, paper,or oral, that relates to the past, present, or future physical or mental health
of an individual, health care services, or payment for health care. The Privacy
Rule also provides for “individual rights” such as a patient’s right to access
their PHI, restrict disclosures, request amendments or an accounting of
disclosures and their right to complain without retaliation.
2. The Security Rule
The Security Rule requires covered physician practices to implement a number of
what are known as “administrative, technical, and physical safeguards”
(described further on page 14) to ensure the confidentiality, integrity, and
availability of electronic PHI. "Electronic PHI or ePHI" refers to
all individually identifiable health information a covered entity or business
associate creates, receives, maintains or transmits in electronic form. The
Security Rule does not apply to PHI transmitted orally or in paper form.
3. The Breach Notification Rule
The Breach Notification Rule requires covered physician practices to notify
affected individuals, the Secretary of the U.S. Department of Health &
Human Services (HHS) and, in some cases, the media when they discover a breach
of a patient’s unsecured PHI.
No comments:
Post a Comment