What is HIPAA?
HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996.
Title I of HIPAA consist of rules governing Insurance Reform which protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as Administrative Simplification, has four parts:
- Electronic transactions and code sets
- Unique identifiers
It is the intent of the government that adopting these standards will improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in health care.How does HIPAA affect my practice?
Electronic transactions and code sets
Compliance with the electronic transactions and code sets standards should have already been completed by either your billing software vendor, or your billing clearinghouse. Other than a likely software upgrade, these standards should not have had a major impact on your day to day operations.
Providers will have to apply for a National Provider Identifier (NPI). CMS started accepting applications for a NPI on May 23rd, 2005. All providers must obtain and start using NPIs by May 23rd, 2007.
This rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the availability, integrity and confidentiality of electronic protected health information.
These rules apply to the provider and the facilities staff, not to the provider’s software vendor. Merely having billing software that is HIPAA compliant does not make the facility compliant with the requirements of this rule.
The Security Rule introduces requirements to protect electronic protected health information (ePHI), and requires safeguards in the following three categories:
Administrative Safeguards – providers must have written policies and procedures to control access to electronic protected health information and ensure business continuity in case of disaster or emergency. They must conduct a risk analysis of their systems and document the risks as well as the measures used to reduce risks and vulnerabilities to a reasonable and appropriate level.
Physical Safeguards – policies, procedures and measures to control physical access to electronic protected health information.
Technical Safeguards – policies, procedures and mechanisms to control access to electronic protected health information and ensure the integrity of data.
In addition, Business Associate agreements must be signed, staff must be trained, and a person charged with security responsibility must be assigned.
Although the implementation of the security rule is less public, the cost of non-compliance is just as severe. The actual risk to PHI (Protected Health Information) involved in a breach of privacy due to failing to follow HIPAA data security standards is many magnitudes greater than the risks involved in an isolated violation of the privacy standard. Unfortunately, because this standard has not generated the same publicity as the privacy standard, it is often overlooked.
This is perhaps the most well publicized regulation within HIPAA. The privacy regulations ensure privacy protections for patients by limiting the ways that health plans, pharmacies, hospitals and other covered entities can use patients' personal medical information. The regulations protect medical records and other individually identifiable health information, whether it is on paper, in computers or communicated orally. Key provisions of the standard include:Written privacy proceduresEmployee training and assigning a privacy officerSafeguards on public responsibilitiesPatient access to medical records Notice of privacy practicesLimits on use of personal medical informationProhibition on marketingConfidential communicationsComplaint proceduresWhat is the cost of non-compliance?
HIPAA compliance may be enforced via civil penalties by the Department of Health and Human Services, and with criminal penalties by the US department of Justice.
The structure of penalties issued by HHS is not more than $100 per each incident of a violation, with a maximum of $25,000 per year per identical requirement or prohibition. For example, not issuing a notice of privacy practices to a patient may result in a fine of $100 per patient up to a maximum of $25,000 if 250 patients were seen.
The Department of Justice is authorized to assess criminal charges for wrongful disclosure of individually identifiable health information. The penalties are very serious:
A fine of up to $50,000, imprisonment up to 1 year, or both. If the offense is committed under false pretenses, a fine of up to $100,000, imprisonment up to 5 years, or both.If the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, the fine is up to $250,000, imprisonment up to 10 years, or both.
Non compliance with HIPAA regulations also exposes providers to the threat of civil litigation by anyone whose PHI has not been adequately protected.
Can I get help in implementing and understanding the details of all these requirements?
Yes! Safety Compliance Services & Consulting Inc has implemented HIPAA programs for all types of healthcare entities. We can provide you with the written policies that you need and the customized forms that are required to be in compliance. Our experienced instructors provide training to all staff, as per HIPAA training requirements, so that they understand these regulations and their practical application.
For more information call us at 718-377-1107.