Whenever those of us working in the healthcare industry hear the HIPAA acronym we automatically think about the rule to keep our mouths shut about patients. We have all sat through hours of training sessions for new jobs or annual competencies where HIPAA was discussed. After all the time devoted to HIPAA, the one thing we always take away is to keep our mouths shut about patients. However, HIPAA involves much more than that and needs to be taken seriously by everyone.
The United States legislation passed HIPAA in 1996 as a data privacy and security provision for safeguarding medical information. It was the very first piece of legislation to establish national standards to protect patient health information (PHI) in the United States. It has developed into greater significance in recent years with the increasing number of health data breaches caused by cyber-attacks as well as ransomware attacks on health insurance and providers.
There are five separate sections to HIPAA designated by Title.
Title I. HIPAA Health Insurance Reform protects health insurance coverage for individuals who lose or change jobs. This includes prohibiting group health plans from denying coverage to individuals with specific diseases and pre-existing conditions, as well as from setting lifetime coverage limits.
Title II. HIPAA Administrative Simplification directs the US Department of Health and Human Services (HHS) to establish national standards for processing electronic healthcare transactions. This rule requires healthcare organizations to implement secure electronic access to health data and to remain in compliance with privacy regulations set by HHS. Title 2 has five specific standards:
National Provider Identifier Standard – Each healthcare entity, including individuals, employers, health providers, must have a unique 10 digit national provider identifier number (NPI).
Transactions and Code Sets Standard – Healthcare organizations must follow a standardized mechanism for electronic data interchange (EDI) in order to submit and process insurance claims.
HIPAA Privacy Rule – This is the keep your mouth shut about patients’ information section. It is officially called the Standard for Privacy of Individually Identifiable Health Information. It establishes national standards to protect patient health information.
HIPAA Security Rule – This standard provides for the Protection of Electronic Protected Health Information by setting the standards for patient data security.
HIPPA Enforcement Rule – This regulation establishes guidelines for investigations into HIPAA compliance violations.
Title III. HIPAA Tax Related Health Provision includes tax related provisions and guidelines for medical care.
Title IV. Application and Enforcement of Group Health Plan Requirements defines health insurance reforms, including provisions for individuals with pre-existing conditions and those seeking continued coverage.
Title V. Revenue Offsets includes provisions on company-owned life insurance and the treatment of those who lose their United States citizenship for income tax purposes.
The purpose of HIPAA is to provide continuous health insurance coverage for workers who lose or change their jobs as well as to reduce the administrative burden and cost of healthcare by standardizing the electric transmission of administrative and financial transactions. Additionally, HIPAA is designed to combat abuse, fraud and waste in health insurance and healthcare delivery, while improving access to
long term care services and health insurance.
In 2013, HHS expanded HIPPA to the HIPAA Omnibus Rule. This act was to implement modifications to HIPAA in accordance with guidelines set in 2009 by Health Information Technology for Economic and Clinical Health Act (HITECH). This included the responsibilities of business associates of covered entities and increased penalties for HIPAA compliance violations up to a maximum of 1.5 million per incident.
The Office of Civil Rights (OCR) within HHS enforces HIPAA. Health plans, healthcare clearing houses and healthcare providers are all covered under the HIPAA regulations. All individually identifiable health information that is held or transmitted by a covered entity or a business associate is protected under HIPAA. The information can be in any form.
The patient health information (PHI) can be as simple as a name or as complex as full medical history or insurance data. It is all protected. This is the patient information that most healthcare providers most frequently come in contact with during their work responsibilities. This is where we always need to remember to keep our mouths shut.
Cathy Massaro, MSW, CCM