HIPAA requirements in a nutshell
HIPAA requirements in a nutshell
Here’s a brief overview of privacy requirements under the Health Insurance Portability and Accountability Act (HIPAA) of 1996:
• Compliance schedule: The final rule took effect on April 14, 2001. Most covered entities have to fully comply with the rule’s provisions by April 14, 2003.
• Covered entities: The regulation covers health plans, health care clearinghouses, and health care providers who conduct certain financial and administrative transactions electronically.
• Information protected: All medical records and other individually identifiable health information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally, are covered by the final rule.
• Consumer control: Patients will have significant new rights to understand and control how their health information is used. Providers and health plans will need to give patients a clear written explanation of how the health information might be used and disclosed. Patients also will be able to see and obtain copies of their records, and they can request amendments. Also, health care providers who see patients will be required to obtain patient consent before sharing their information for treatment, payment, and health care operations. Separate patient authorization must be obtained for nonroutine disclosures and most nonhealth care purposes. Patients will have the right to request restrictions on the uses and disclosures of their information. If patients believe their rights have been violated, they may file a formal complaint with the covered provider or health plan or with the U.S. Department of Health and Human Services (HHS) about the violations.
• Boundaries of medical record use: An individual’s health information may be used only for health purposes, with few exceptions, including an exception for appropriate law enforcement needs. In general, disclosures of information will be limited to the minimum necessary for the purpose of the disclosure, but this provision does not apply to disclosure of medical records for treatment purposes.
• Ensure the security of the information: Covered entities may design their own policies and procedures to meet security standards, but in general they will have to adopt written privacy procedures. Issues include who will have access to protected information, how it will be used within the entity, and when the information may be disclosed. Covered entities also must take steps to ensure that their business associates protect the privacy of health information. And they must train employees and designate a privacy officer who will be responsible for ensuring the procedures are followed.
• Establish accountability for medical records use and release: Congress has pro- vided penalties for covered entities that misuse personal health information, including civil penalties that can be applied to health plans, providers, and clearinghouses that violate HIPAA standards. Penalties are $100 per violation up to $25,000 per person, per year for each requirement or prohibition violated. Under HIPAA, covered entities that knowingly violate patient privacy are subject to criminal penalties up to $50,000 and one year in prison for obtaining or disclosing protected health information, plus they are subject to up to $100,000 and five years in prison for obtaining protected health information under false pretenses, and up to $250,000 and 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer, or use it for commercial advantage, personal gain, or malicious harm.
• Balancing public responsibility with privacy protections: In limited circumstances, the final rule permits covered entities to continue certain existing disclosures of health information without individual authorization for specific public responsibilities. These permitted disclosures include research, but is generally limited to when a waiver of authorization is independently approved by a privacy board or IRB. Other permitted disclosures are for emergency circumstances, identification of the body of a deceased person, or for finding the cause of death; public health needs; oversight of the health care system; judicial and administrative proceedings; limited law enforcement activities, and activities related to national defense and security.
• Special protection for psychotherapy notes: Psychotherapy notes (used only by a psychotherapist) are held to a higher standard of protection because they are not part of the medical record and are never intended to be shared with anyone else. All other personal health information is considered to be sensitive and protected consistently under this rule.
• Equivalent requirements for government entities: The final rule applies equally to private sector and public sector entities.
• Cost of implementation: The projected implementation costs are $17.6 billion over 10 years.
• Preserving existing state confidentiality laws: Stronger state laws like those covering mental health, HIV infection, and AIDS information, continue to apply. These confidentiality protections are cumulative; the final rule will set a national floor of privacy standards that protect all Americans. In circumstances where states have enacted laws to require certain disclosures of health information, the final rule does not preempt these mandates.
• Compliance and enforcement: The final rule will be enforced by the HHS Office for Civil Rights (OCR). Before covered entities must comply with the rule, OCR will provide assistance to providers, plans, and health clearinghouses in meeting the requirements of the regulation. A web site on the new regulation is available at www.hhs.gov/ocr/hipaa/.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.