HIPAA 101

The Health Insurance Portability and Accountability Act (HIPAA) is a legislative act that was passed in 1996. Several years later, administrative rules were published and continue to be updated to address transaction codes, information privacy, security, and breach notification rules.

Who Must Comply with HIPAA?

These administrative rules, known as the HIPAA Privacy and Security Rules (and the more recent Breach Notification Rule) contain administrative, technical and physical safeguards for the protection of certain patient information called "Protected Health Information" or PHI. These rules apply to all "covered entities". Covered entities generally include all healthcare plans, healthcare providers who transmit health care information in electronic form (using a standard transaction), and healthcare clearinghouses (including billing companies).  In addition to these covered entities, the HITECH Act expanded the reach of these administrative rules to another class of entities called "business associates." Business associates are contractors or vendors who perform certain tasks for the covered entities that generally require access to PHI or who perform tasks on behalf of the covered entity that are regulated by HIPAA.

What Kind of Information Does HIPAA Protect?

The Privacy Rule defines PHI as "individually identifiable health information" that is transmitted in any format (oral, written, electronic). All information pertaining to an individual and held by a covered entity is generally considered PHI. The only exception happens when it becomes "de-identified" pursuant to specific procedures outlined in the regulations. The Security Rule governs "electronic protected health information" and requires covered entities to ensure the confidentiality, integrity, and availability of all PHI that is created, received, maintained or transmitted by the covered entity or business associate in the electronic form.

What Rights Do Individuals Have Under HIPAA?

In general, the HIPAA Privacy Rule gives individuals the right to access, amend, request an accounting of the disclosures of their PHI, and request a restriction on the disclosure of their PHI.  These rights are not automatic and do have certain limits.  The individual also may request confidential communications or that a communication of their PHI comes by alternative means, such as sending correspondence to the individual's office instead of the individual's home. With limited exceptions, individuals also have the right to inspect and obtain a copy of their own protected health information and to request amendments of their protected health information. Individuals may also request an accounting of most disclosures the covered entity made of their PHI. Finally, individuals have the right to receive the covered entity's Notice of Privacy Practices.

What Do Covered Entities Need To Do In Order Comply With The HIPAA Rules?

Examples of the issues that covered entities will need to address in order to comply with the Privacy Rule include: 

• appointment of a privacy officer and contact person to receive complaints

• notice and authorization form for patients

• development of numerous required privacy policies and procedures

• drafting of agreements with all business associates

• annual training of staff on privacy issues

• perform regular risk analysis and compliance posture audits

What Does The HIPAA Security Rule Require?

The rule requires covered entities to conduct a risk analysis to identify any risks to electronic protected health information and to address such risks. In general, covered entities are also required to implement administrative procedures, physical safeguards, and technical security services to guard the integrity, confidentiality, and availability of patient data. The HIPAA Security Rule also requires covered entities to implement technical security mechanisms to prevent unauthorized access to patient data.

What Now?

The federal agency assigned to enforce the HIPAA administrative regulations is the Office of Civil Rights (OCR) within the Department of Health and Human Services.  In addition to investigating reported violations of HIPAA, OCR has begun actively auditing covered entities and business associates.  Mr. Miller was part of the team that developed the initial training materials for this audit program.  He can help your organization assess its compliance posture and prepare for an audit or investigation from OCR.