The Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), also known as HIPPA, was enacted as part of a broad Congressional attempt at incremental healthcare reform. The “Administrative Simplifications” aspect of the law requires the United States Department of Health and Human Services (DHHS) to develop standards and requirements for maintenance and transmission of health information that identifies individual patients. (Protected Healthcare Information)
These standards are designed to:
- Improve the efficiency and effectiveness of the healthcare system by standardizing the interchange of electronic data for specified administrative and financial transaction; and
- Protect the security and confidentiality of electronic health information.
The requirements outlined by the law and the regulations promulgated by DHHS are far-reaching – all healthcare organizations that maintain or transmit electronic health information, must comply. This includes health plans, healthcare clearinghouses and healthcare providers from large integrated delivery networks to individual physician offices. After the final standards are adopted, small health plans have 36 months to comply. Other, including healthcare providers, must comply within 24 months.
What is HIPAA?
HIPAA is the acronym for the Health Insurance Portability and Accountability Act. These laws were passed to improve the quality of healthcare in the United States by restoring trust in the healthcare system among patients, healthcare professionals and various healthcare organizations and individuals.
Why were the HIPAA regulations created?
To guarantee the security and privacy of health information and protect the rights of patients with respect to confidential information.
What information is protected under HIPAA?
All medical records, whether communicated electronically or on paper, that contain any “individually identifiable health information”.
What is “individually identifiable health information?”
It is information that is collected from any individual that:
- Is created or received by a health care provider, health plan, or health care clearinghouse; and
- Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and
- Identifies the individual; or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.
Who is mandated under HIPAA to comply?
Any healthcare provider, healthcare clearinghouse or health plan.
What must these various healthcare providers do to comply?
All healthcare organizations must establish written privacy procedures that are to be provided to patients and outline the healthcare provider’s policies and practices with respect to protected health information. The healthcare provider must also train employees on policies and procedures with respect to protected information and designate a privacy official who is responsible for the development and implementation of the providers’ policies and procedures dealing with protected health information. If these policies and procedures are not adhered to, a grievance process must be established.
When must healthcare providers comply with HIPAA?
Most healthcare providers and organizations have twenty-four (24) months from the effective date of the final rules to be in compliance. The Act took effect in April 2001 and compliance, in most cases, must be by April 2003.
What are the penalties for non-compliance or violations?
There are civil and criminal penalties that can be enforced:
- Civil: $100 per incident up to $25,000 per person per year, per standard.
Criminal: Up to $50,000 and 1 year in prison for obtaining or disclosing protected health information. Up to $100,000 and 5 years in prison for obtaining protected health information under “false pretences”. Up to $150,000 and 10 years in prison for obtaining or disclosing protected health information with intent to sell, transfer or use for commercial advantage, personal gain or malicious harm.