Health Insurance Portability and Accountability Act (HIPPA)

HIPAA (Health Insurance Portability and Accountability Act of 1996) is United States legislation that provides data privacy and security provisions for safeguarding medical information.

The Standards for Privacy of Individually Identifiable Health Information(Privacy Rule) establishes, for the first time, a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (HHS) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

The Privacy Rule standards address the use and disclosure of individual’s health information called protected health information by organizations subject to the Privacy Rule called covered entities, as well as standards for individual’s privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (OCR) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.

The U.S Department of Health & Human Services (HHS) recently adopted new rules which make changes to existing privacy, security and breach notification requirements in what is often referred to as the final “HIPAA Omnibus Rule.” These new rules stem from changes made under the Health Information Technology for Economic and Clinical Health (HITECH) Act which is part of the same law that created thue Electronic Health Records (EHRs) Incentive Program under Medicare and Medicaid.

All covered physician practices must update their HIPAA policies and procedures and otherwise implement the changes required by these regulations no later than the September 23, 2013 compliance date. These new rules will mean physicians will need to update their Business Associate Agreements (BAAs) and their Notices of Privacy Practices (NPPs) and it will require they understand the importance of encryption electronic protected health information.

Who is Covered by the Privacy Rule?

The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the covered entities).

Health Plans
Health Care Providers
Healthcare Clearing Houses

What Information is Protected under PHI Rule?

Protected Health Information (PHI): The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “Protected Health Information (PHI).”

Individually identifiable health information is information, including demographic data, that relates to:

And that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).

The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. 1232g.

De-Identified Health Information. There are no restrictions on the use or disclosure of de-identified health information. De-identified health information neither identifies nor provides a reasonable basis to identify an individual. There are two ways to de-identify information; either: (1) a formal determination by a qualified statistician; or (2) the removal of specified identifiers of the individual and of the individuals relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.

HIPPA Privacy and Security

  • The HIPAA Privacy Rule provides federal protections for Personal Health Information (PHI) held by covered entities and gives patients an array of rights with respect to that information. The Privacy Rule is balanced so that it permits the disclosure of PHI needed for patient care and other important purposes.
  • The HIPAA Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI).
  • The HITECH Act, which is an addition to the overall HIPAA mandates, holds business associates responsible for being compliant with the HIPAA Privacy Rule and Security Rule. The HITECH Act also mandates the Business Associates responsibility for holding the covered entity to the Business Associate contract and the HIPAA Privacy Rule and Security Rule. If the Business Associate becomes aware of any non-compliance by the Covered Entity, the business associate must fix the breach, terminate the Business Associate contract, and/or report the non-compliance to the Department of Health and Human Services (HHS)2.
  • In order to fulfill HIPAA regulations, Business Associates have to comply with the HIPAA Privacy Rule and Security Rule effective Feb 17, 2012.

A To-Do List for Medical Practice Compliance Officers

An effective compliance program should encompass all areas of regulation that are applicable to your practice. Many practices address billing and reimbursement and HIPAA compliance, but compliance programs also should cover employment, Occupational Safety and Health Administration (OSHA) requirements, Clinical Laboratory Improvement Amendments of 1998 (CLIA) regulations, the Employee Retirement Income Security Act requirements, and other healthcare regulatory areas, including self-referral/stark law and anti-kickback regulations. Every practice is unique, and so should be every compliance program.

A principle element of a compliance program is an effective and empowered compliance officer or compliance committee. If the practice designates a compliance committee, the compliance officer will be the chairperson and will coordinate the responsibilities between the members. The compliance officer’s two main responsibilities are (1) to develop and (2) to implement the practice’s compliance program.

The compliance officer should have knowledge in many areas, including business administration, clinical activities, coding, billing, reimbursement, risk management, and at least a general knowledge of the laws and regulations applicable to the medical practice environment. The compliance officer should have good judgment, the ability to prioritize, and to create the necessary culture he should be respected, and considered to be approachable, by the other members of the practice.

Below is a list of responsibilities of the compliance officer and/or committee. This list can help your practice to develop a job description and focus on key requirements when recruiting a compliance officer. AAPC and the Health Care Compliance Association are two organizations that offer certifications for individuals who have proven competency through rigorous study and examination. Hiring a certified individual provides additional assurances that the individual understands and can apply key areas of compliance required to development and implement an effective program.

List of Responsibilities

  • The compliance officer will be responsible for development of the corporate compliance program. After the performance of a baseline assessment, the compliance officer will draft the formal compliance program documents.
  • The compliance officer will review all relevant documents, perform, and coordinate an organization-wide audit, and review all areas of possible noncompliance within the organization.
  • The compliance officer will distribute the written documentation of the compliance program.
  • The compliance officer will be responsible for periodically reviewing and updating the compliance program, and for dissemination of any changes to the employees and agents of the organization.
  • The compliance officer is responsible for developing, coordinating, and/conducting the necessary training programs for all members of the healthcare organization. The initial training will include complete education regarding the corporate compliance program.
  • The compliance officer will be responsible for auditing the training records that are to be maintained by the organization as an element of compliance.
  • The compliance officer will review/or coordinate the review of independent contractor arrangements to ensure that all of the applicable laws and regulations have been followed.
  • The compliance officer is responsible for the coordinating and/or screening of employees, agents, and independent contractors. This will involve making inquiries to the cumulative sanction report, and the U.S. Government Accountability Office debarred contractors listing.
  • The compliance officer is responsible for conducting and/or coordinating internal and external compliance audits. This is to ensure that all areas of the corporate compliance program are being adhered to. This will include audits of the human resources department; coding, billing, and reimbursement departments; laboratory (CLIA); and all areas of the practice that fall under the OSHA and HIPAA guidelines. The compliance officer will also coordinate and/or audit the training and reporting elements of all the regulatory compliance manuals.
  • The compliance officer will coordinate and/or develop policies and programs for reporting noncompliance issues. This will include developing a reporting system for all persons associated with the practice to utilize when necessary to inform the compliance officer of potential noncompliance issues.
  • The compliance officer will perform and/or coordinate all investigations of deficiencies resulting from the reporting system or identified through the periodic assessments.
  • The compliance officer will initiate and/or coordinate corrective and preventive action for areas of noncompliance as identified in the periodic audits and/or through the reporting system.
  • The compliance officer will be responsible for maintaining a file of all areas of the compliance plan. This will include documentation of the initial baseline audit, the periodic compliance audits, training of personnel and agents of the practice, results of screening of individuals, any reports of suspected or actual noncompliance, all reports of investigations, and all reports of corrective action taken after the investigation has been completed.
  • The compliance officer will report regularly to the owner(s), managing physician, and/or board of directors of the organization.
  • The compliance officer will develop a budget necessary to perform all of the compliance duties including items such as training for the staff, compliance officer, and compliance committee.

What is the Health Information Technology for Economic and Clinical Health Act (HITECH Act)

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) mandates audits of health care providers to investigate and determine if they are in compliance with the HIPAA Privacy Rule (effective in 2003) and Security Rule (effective in 2005).



Any healthcare organization that stores, processes or transmits personal health information (PHI) is required to comply with the Health Insurance Portability and Accountability Act and safeguard all protected data.



HIPAA is U.S. Public Law 104-191 the Health Insurance Portability and Accountability Act of 1996. Congress created the Act to improve health care enabled by the nation’s health plans and providers. HIPAA mandates standards-based implementations of security controls by all health care organizations that create, store or transmit electronic protected health information. The HIPAA Security Rule governs protection of PHI. Organizations must certify their security programs via self-certification or by a private accreditation entity. Non-compliance can trigger various civil penalties, including fines and/or imprisonment.
HITECH is the Health Information Technology for Economic and Clinical Health Act, which brings additional compliance standards to healthcare organizations. It is directly related to HIPAA, and was part of the American Recovery and Reinvestment Act of 2009. HITECH requires healthcare organizations to apply “meaningful use” of security technology to ensure the confidentiality, integrity, and availability of protected data. Detailed requirements for HIPAA and HITECH are managed by Department of Health and Human Services (HHS).


Healthcare organizations are expected to keep their personal health information confidential and safe from data breaches and other exploits. Healthcare organizations will also have self-interest at heart because penalties for non-compliance with HIPAA / HITECH can be substantial. In cases of “willful neglect,” a HITECH penalty can be at least $50K per violation up to a total of $1.5 million in a calendar year. Other breach-related costs will be incurred for discovery and containment, investigation of the incident, remediation expenses, attorney and legal fees, loss of customer confidence, lost sales and revenue, brand degradation, and so on. Compliance is a serious responsibility on many levels.


Security is a crucial part of HIPAA / HITECH. The Department of Health and Human Services states, “[It] is important to recognize that security is not a onetime project, but rather an ongoing, dynamic process.” HIPAA therefore requires security-related processes, many of which are often best implemented with automated technology. HIPAA regulations do not mandate particular security technologies.
Your organization’s compliance program should address two issues: (1) selecting and deploying security controls that meet HIPAA / HITECH requirements, and (2) providing a way to regularly audit the status of those controls to ensure continuous protection of PHI and EHR, and ongoing compliance. Providing an independent assessor with audit-quality documentation of these steps and your security measures simplifies compliance audits.