Health Insurance Portability and Accountability Act (HIPPA)
Who is Covered by the Privacy Rule?
Individual and group plans that provide or pay the cost of medical care are covered entities. Health plans include health, dental, vision, and prescription drug insurers, health maintenance organizations (HMOs), Medicare, Medicaid, Medicare+ Choice and Medicare supplement insurers, and long-term care insurers (excluding nursing home fixed-indemnity policies). Health plans also include employer-sponsored group health plans, government and church-sponsored health plans, and multi-employer health plans.
Health Care Providers
Every health care provider, regardless of size, who electronically transmits health information in connection with certain transactions, is a covered entity. These transactions include claims, benefit eligibility inquiries, referral authorization requests, or other transactions for which HHS has established standards under the HIPAA Transactions Rule. Using electronic technology such as email does not mean a health care provider is a covered entity; the transmission must be in connection with a standard transaction. The Privacy Rule covers a health care provider whether it electronically transmits these transactions directly or uses a billing service or other third party to do so on its behalf. Health care providers include all providers of services (e.g., institutional providers such as hospitals) and providers of medical or health services (e.g., non-institutional providers such as physicians, dentists and other practitioners) as defined by Medicare, and any other person or organization that furnishes bills, or is paid for health care.
Healthcare Clearing Houses
Health care clearing housesare entities that process nonstandard information they receive from another entity into a standard (i.e., standard format or data content), or vice versa.7In most instances, health care clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or health care provider as a business associate. In such instances, only certain provisions of the Privacy Rule are applicable to the health care clearing houses uses and disclosures of protected health information.
What Information is Protected under PHI Rule?
Individually identifiable health information is information, including demographic data, that relates to:
- The individual’s past, present or future physical or mental health or condition
- The provision of health care to the individual, or
- The past, present, or future payment for the provision of health care to the individual
HIPPA Privacy and Security
- The HIPAA Privacy Rule provides federal protections for Personal Health Information (PHI) held by covered entities and gives patients an array of rights with respect to that information. The Privacy Rule is balanced so that it permits the disclosure of PHI needed for patient care and other important purposes.
- The HIPAA Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI).
- The HITECH Act, which is an addition to the overall HIPAA mandates, holds business associates responsible for being compliant with the HIPAA Privacy Rule and Security Rule. The HITECH Act also mandates the Business Associates responsibility for holding the covered entity to the Business Associate contract and the HIPAA Privacy Rule and Security Rule. If the Business Associate becomes aware of any non-compliance by the Covered Entity, the business associate must fix the breach, terminate the Business Associate contract, and/or report the non-compliance to the Department of Health and Human Services (HHS)2.
- In order to fulfill HIPAA regulations, Business Associates have to comply with the HIPAA Privacy Rule and Security Rule effective Feb 17, 2012.
A To-Do List for Medical Practice Compliance Officers
List of Responsibilities
- The compliance officer will be responsible for development of the corporate compliance program. After the performance of a baseline assessment, the compliance officer will draft the formal compliance program documents.
- The compliance officer will review all relevant documents, perform, and coordinate an organization-wide audit, and review all areas of possible noncompliance within the organization.
- The compliance officer will distribute the written documentation of the compliance program.
- The compliance officer will be responsible for periodically reviewing and updating the compliance program, and for dissemination of any changes to the employees and agents of the organization.
- The compliance officer is responsible for developing, coordinating, and/conducting the necessary training programs for all members of the healthcare organization. The initial training will include complete education regarding the corporate compliance program.
- The compliance officer will be responsible for auditing the training records that are to be maintained by the organization as an element of compliance.
- The compliance officer will review/or coordinate the review of independent contractor arrangements to ensure that all of the applicable laws and regulations have been followed.
- The compliance officer is responsible for the coordinating and/or screening of employees, agents, and independent contractors. This will involve making inquiries to the cumulative sanction report, and the U.S. Government Accountability Office debarred contractors listing.
- The compliance officer is responsible for conducting and/or coordinating internal and external compliance audits. This is to ensure that all areas of the corporate compliance program are being adhered to. This will include audits of the human resources department; coding, billing, and reimbursement departments; laboratory (CLIA); and all areas of the practice that fall under the OSHA and HIPAA guidelines. The compliance officer will also coordinate and/or audit the training and reporting elements of all the regulatory compliance manuals.
- The compliance officer will coordinate and/or develop policies and programs for reporting noncompliance issues. This will include developing a reporting system for all persons associated with the practice to utilize when necessary to inform the compliance officer of potential noncompliance issues.
- The compliance officer will perform and/or coordinate all investigations of deficiencies resulting from the reporting system or identified through the periodic assessments.
- The compliance officer will initiate and/or coordinate corrective and preventive action for areas of noncompliance as identified in the periodic audits and/or through the reporting system.
- The compliance officer will be responsible for maintaining a file of all areas of the compliance plan. This will include documentation of the initial baseline audit, the periodic compliance audits, training of personnel and agents of the practice, results of screening of individuals, any reports of suspected or actual noncompliance, all reports of investigations, and all reports of corrective action taken after the investigation has been completed.
- The compliance officer will report regularly to the owner(s), managing physician, and/or board of directors of the organization.
- The compliance officer will develop a budget necessary to perform all of the compliance duties including items such as training for the staff, compliance officer, and compliance committee.