The Department of Health and Human Services (HHS) recently issued a Health Insurance Portability and Accountability Act (HIPAA) fact sheet for health care professionals and organizations.
The Department of Health and Human Services (HHS) recently issued a Health Insurance Portability and Accountability Act (HIPAA) fact sheet for health care professionals and organizations.
The overview is titled “HIPAA Basics for Providers: Privacy, Security and Breach Notification Rules” and is intended to provide HIPAA covered entities such as physicians, health care facilities and other licenced health care professionals with a basic overview of HIPAA’s rules and responsibilities. Click here to view the HIPAA fact sheet.
HIPAA Privacy Rule.
The privacy rule is established as a standard for the protection of protected health information (PHI) by covered entities. It gives patients vital rights with respect to their health information. The following is protected information under this rule:
1. The individual’s past, present or future physical or mental health or condition;
2. The provision of health care to the individual; or
3. The past, present or future payment for the provision of health care to the individual.
PHI also includes common identifiers, such as name, address, birth date and Social Security Number.
HIPAA Security Rule.
This rule specifies safeguards that covered entities are required to implement to protect the confidentiality, integrity and availability of health information. To properly enforce this rule, covered entities must develop policies and procedures to protect the security of electronic protected health information (ePHI). This includes analyzing risks and creating solutions that are appropriate for the situation. For more information from HHS on the implementation of the security standards, click here.
HIPAA Breach Notification Rule.
Affected individuals, HHS and in certain cases, the media are required to be notified of a breach of PHI. The rule includes the following guidelines:
1. Most notifications must be provided without unreasonable delay and no later than 60 days following the discovery of the breach.
2. Smaller breaches affecting fewer than 500 individuals may be submitted to HHS in a log or other documentation annually.
3. Business associates of covered entities are also required to notify the covered entity of breaches.
To view the breach notification timelines included in the HIPAA fact sheet, click here.
Who is Required to Comply With HIPAA Rules?
The following covered entities must follow HIPAA standards and requirements:
1. Covered Health Care Providers: Any provider of medical or other health care services or supplies who transmits any health information in electronic form in connection with a transaction for which HHS has adopted a standard. This includes doctors, chiropractors, dentists, pharmacies, psychologists, clinics and nursing homes.
2. Health Plans: Any individual or group plan that provides or pays the cost of health care. This includes company health plans, government programs for health care such as Medicaid and Medicare, along with the military and health insurance companies.
3. Health Care Clearinghouses: A public or private entity that processes another entity’s health care transactions from a standard format to a non-standard format or vice versa. This includes billing services, community health management information systems, repricing companies and value-added networks.
4. Business Associates: Provide services to covered entities and are extensions of the previous entities listed, including legal services, billing, financial services and accreditation.
Enforcement and Repercussions.
The HHS Office for Civil Rights enforces the HIPAA Privacy, Security and Breach Notification Rules. Violation of these rules may result in civil and in some cases criminal penalties. HIPAA violations can also lead to Medicare exclusion which is often a death sentence for a health care provider. To read a previous blog I wrote on the penalties of HIPAA violations, including a chart outlining the penalty structure, click here.
Sources:
Hamlet, Julie. “HHS ISSUES HIPAA “BASICS” FACT SHEET”. Foster Swift. (September 2, 2015). Web
Department of Health and Human Services. “HIPAA Basics for Providers: Privacy, Security and Breach Notification Rules”. (May, 2015). Web