Health Insurance Portabililty & Accountability Act (HIPAA)

From Aaushi
Jump to navigation Jump to search
[1][2]

Notes

Passed in 1996.

Goals:

  • make health insurance more efficient & portable
  • administration simplification
  • information protection

Implementation:

  • Privacy standards (April 2003)
  • Security standards
  • Codes & Transaction standards

HIPAA is a federal law protecting the privacy and security of personal medical data.

HIPAA also regulates group health insurance plans and electronic healthcare transactions.

Virtually every medical entity in America must comply with HIPAA

Medical entities have to become compliant, and remain compliant with HIPAA over time.

Healthcare workers have HIPAA responsibilities too:

  • to help protect personal, confidential medical information

HIPAA law contains the following sections...

  • Title 1: Health Insurance Portability
  • Title 2: Administrative Simplification Transaction Standards
    • Standard Code Sets
    • Unique Health Identifiers
    • Privacy
    • Security
  • Titles 3, 4 & 5

5 major objectives of HIPAA

HIPAA's Long-term Benefits

  • Better privacy & security of personal health data
  • Greater portability of health insurance
  • Fewer claims rejected for errors
  • Faster payments on insurance claims
  • Patients less likely to litigate
  • Reduced administrative costs & overhead
  • Reduced bad debt and lost receivables
  • Computers & networks better protected

HIPAA was not designed to tell doctors and clinicians how to treat patients medically.

  • HIPAA says nothing about, & does not regulate clinical procedures or specific medical practices
  • HIPAA is not about the practice of medicine
  • HIPAA is about the business of healthcare

Covered Entity 'CE' is:*

  • A health plan, clearinghouse, or provider regulated ('covered by') by HIPAA
  • who comes into contact with confidential health data
  • who provides healthcare services in the normal course of business
  • who conducts certain healthcare business transactions in electronic form

* Virtually all US doctors, clinics, hospitals, labs, nursing homes, & many others are HIPAA Covered Entities.

Types of Covered Entities:

  • Standard Covered Entity - Provider, Health Plan, Clearinghouse
  • Hybrid Entity - Primary business functions not regulated by HIPAA's Privacy rule
    • a single legal entity, with different & distinct operating units
    • some operating units are covered under HIPAA, some are not
    • HIPAA-governed activities are not the primary business function
  • Affiliated Entities - Legally separate entities under common ownership
    • legally separate entities are separate operating units
    • common ownership of all entities.
  • Organized Health Care Arrangement (OHCA)
    • participants are integrated
    • formal designation is required.

Protected Health Information 'PHI'

  • Health information that is individually identifiable
    • one could determine who the data is about by looking
  • PHI may be created or received by a covered entity.
    • if it's PHI, it must be protected.
  • PHI may be in any medium: written, oral, disk, recorded, printed, stored, emailed or faxed

Notice of Privacy Practices 'NPP'

  • tells patients about HIPAA, & describes how their confidential health data may be used or disclosed by the Covered Entity
  • tells patients how to file a privacy-related compliant, if they believe their privacy has been violated
  • must be given to each patient (in printed form) at least once, or again if policies change substantially.
  • must be 'posted prominently' in an area where all patients can reasonably be expected to see it
  • patients are asked to sign an 'acknowledgement' (receipt) verifying they have received it; patients may refuse to sign

Authorization

  • customized document giving Covered Entities specific permission to use specific PHI for specific purposes, for a limited period of time
  • not required for treatment, payment, or operations
  • more specific than a traditional 'Consent' form
  • must have an expiration date
  • must be signed and dated by the patient or their personal representative

Minimum Necessary Rule*

  • or a use, request or disclosure of PHI, only the minimum necessary data needed to do the task or job should be used
  • when a CE uses, requests, or discloses PHI, it must make reasonable efforts to limit the information used or disclosed to the minimum necessary

* the Minimum Necessary Rule does not apply for treatment purposes

Designated Record Set 'DRS'

  • that portion of the total set of records that patients have access to under HIPAA
    • when they request a copy of their records.
    • when they request to add an amendment to their records

* the DRS doesn't include everything it is the set of records 'used to make healthcare decisions' about a patient's treatment or care

Business Associate:

  • a person or company that works on behalf of a covered entity, but is not part of the CE's regular work force
  • exposure to PHI is part of the work or activity.
  • covered entities must have written contracts with business associates
    • some HIPAA requirements 'pass through'

Preemption:

  • preemption means HIPAA supercedes state laws in most circumstances, except when:
    • state law is 'more stringent'* on privacy or security than HIPAA
    • state law is necessary for certain purposes: to prevent fraud, regulation of insurance, regulation of controlled substances, etc.
  • state laws apply to reporting requirements: medical audits, child abuse, births, deaths, injuries, public health activities, etc.

* 'more stringent' means the state law provides stronger personal privacy protections, or better access to personal PHI than HIPAA

HIPAA Requires Covered Entities to:

  • provide information to patients about their privacy rights & how their information may be used
  • adopt privacy & security policies and procedures that are appropriate for a practice, hospital, or plan
  • train employees so that they understand HIPAA & the privacy & security policies & procedures
  • designate individuals to be responsible for privacy & security
  • secure patient records so they are only accessible to those with a legitimate medical need for them

HIPAA Requires Staff to:

  • protect PHI in all forms & at all times
  • learn HIPAA policies & procedures.
  • report violations that they may observe
  • attend HIPAA training and education
  • direct patients to the privacy officer if they have a HIPAA problem or question

Additional terms

References

  1. Prescriber's Letter 12(9): 2005 HIPAA Confusion and Fear about Protected Health Information Includes: HIPAA Made Simple: A Survival Guide. Detail-Document#: http://prescribersletter.com/(5bhgn1a4ni4cyp2tvybwfh55)/pl/ArticleDD.aspx?li=1&st=1&cs=&s=PRL&pt=3&fpt=25&dd=210914&pb=PRL (subscription needed) http://www.prescribersletter.com
  2. Allen AL HIPAA at 25 - A Work in Progress. N Engl J Med 2021. June 5 PMID: https://www.ncbi.nlm.nih.gov/pubmed/34110114 https://www.nejm.org/doi/full/10.1056/NEJMp2100900
    Mandl KD, Perakslis ED HIPAA and the Leak of "Deidentified" EHR Data. N Engl J Med 2021. June 5 PMID: https://www.ncbi.nlm.nih.gov/pubmed/34110112 https://www.nejm.org/doi/full/10.1056/NEJMp2102616
Retrieved from "https://aaushi.info/w/index.php?title=A4982&oldid=1166602"