Über HIPAA – Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act (HIPAA) was originally created to protect health insurance coverage for employees who changed or lost jobs (portability). The administrative simplification part was created to increase the efficiency and effectiveness of the health care system and to ensure the protection of health information (accountability). The "portability" part of HIPAA has been in effect since 1996, but we're only just starting to see the "accountability" part come into play.
HIPAA is the most comprehensive privacy law ever enacted in the United States. All healthcare providers (hospitals, doctors, pharmacies, dentists, etc.), health insurance companies, and healthcare providers (third party billing, claims, etc.) must comply. HIPAA covers information in electronic, written and oral forms. To meet the goals set forth by HIPAA, the Department of Health and Human Services (DHHS) created three sets of standards:
- Electronic transactions and code sets
- privacy
- Security
Electronic transaction standards
Historically, health care providers and plans have used many different electronic formats to process medical claims and related business. The introduction of a national standard aims to achieve the use of a format that will make transactions nationwide "simplified" and more efficient. Eight administrative and financial transactions are specifically targeted:
- Damage assessment and service coordination (837),
- Transfer Council (835),
- Request for permission and response (270/271),
- Status query and response (276/277),
- Authorization request and response (278),
- Enrollment and examination (834) and
- Bonus payouts (820).
Health care providers must apply these standards when submitting transactions electronically to a health plan. However, Medicare requires electronic transactions and all Medicare providers must adopt standards for these transactions.
The rule also defines a set of code sets to support these transactions. These include ICD-9-CM for diagnostics and inpatient services, the HCFA Common Procedural Coding System (HCPCS) for healthcare procedures, equipment and supplies, and the National Drug Code (NDC) for pharmaceuticals. Fortunately, the code sets proposed as HIPAA standards are already being used by most providers and health plans.
Unique identification standards
Historically, healthcare organizations have used multiple identification formats to do business with each other—a confusing, error-prone, and expensive approach. It is expected that standard identifiers will reduce these problems.
The Unique Employer Identifier Standard, published in 2002, adopts an employer's tax identification number, or Employer Identification Number (EIN), as the standard for electronic transactions. The compliance date for this standard is July 30, 2004.
The Unique Healthcare Provider Identifier Standard was published on January 23, 2004. This final rule establishes a standard National Provider Identifier (NPI) for all healthcare providers under HIPAA. Healthcare providers can apply for NPIs from 23 May 2005, but not earlier. The compliance date for this standard is 23 May 2008.
The unique health plan (payer) identifier is in a proposed state. This rule would implement a standard identifier to identify health plans that process and pay for specific electronic health transactions. The expected release date for this is unknown.
Attached standards
This rule proposes an electronic standard for HIPAA-required attachments. It will be used to transfer clinical data beyond the data contained in the claims standard to determine the medical need for coverage. Expected release date is August 2004.
privacy standards
HIPAA's privacy standards establish, for the first time, national standards for protecting an individual's medical records and other personal health information. Patients want more control over their health information. The rule sets limits on the use and sharing of health records, establishes appropriate safeguards that health care providers must take to protect the confidentiality of health information, makes violators liable with civil and criminal penalties, and allows patients to find out how their data is being processed may be used and what disclosures of their information have been made. It also gives patients the right to see their own medical records, obtain a copy of them and request corrections. Compliance with HIPAA privacy standards began on April 14, 2003.
Changes in Privacy Standards for Individually Identifiable Health Information
Amendments to the Privacy Standards for Individually Identifiable Health Information were published on 08/14/2002. The compliance date remained 14/04/2003. The change changed the standards for:
- Marketing
- Consent and Notice
- Uses and information regarding FDA
- Regulated products and activities
- Incidental Use and Disclosure
- permission
- Minimum required
- parents and minors
- Business partner
- Research
- Limited data set
- hybrid units
- Health Operations: Changes in Legal Ownership
- Dissemination of registration and de-registration information through the group's health plan
- Accounting for information
- Disclosure for treatment, payment or healthcare provided by another company
- Protected Health Information: Exclusion from Employment
safety standards
The final safety rule was published on February 20, 2003, with a compliance date of April 21, 2005. This rule is the first of its kind in healthcare - requiring all covered organizations to comply with regulations set by the federal government. In general, this rule requires affected businesses to do certain things:
- to ensure the confidentiality, integrity and availability of all electronic protected health information (PHI) that that entity creates, receives, maintains or transmits;
- Protect yourself from any reasonably foreseeable threat or danger to the security or integrity of this information.
- Protect against any reasonably anticipated use or disclosure of such information that is not permitted or required by the Rule; And
- Ensure compliance of the covered entity's workforce.
The specific areas to be addressed are divided into three general areas: physical security measures, technical security measures and administrative security measures. These security measures are further divided into 18 security standards with 42 specific security areas to be addressed by the covered organization.
This rule is in line with what other industries would consider best practice, but is tailored specifically to healthcare. Some of the requirements of the rule have already been implemented to a certain extent. For example, the rule requires security training for employees and the use of authentication mechanisms for accessing computers. It also requires creating and enforcing policies and procedures that govern the way we work. Other requirements, such as the need to encrypt electronic transmissions that contain PHI and are transmitted outside of our network, are new and must be addressed to achieve compliance. Finally, the security rule doesn't tell us what technology to use or how to make some of the policies we need. It requires us to decide which approach best suits our needs while meeting the basic commitments in each area.
Frequently asked questions
What is HIPAA?
HIPAA, the Health Insurance Portability and Accountability Act, is the most comprehensive privacy law ever enacted in the United States. All health care providers (hospitals, doctors, pharmacies, dentists, etc.), health insurance plans, and health care providers (third party billing, claims, etc.) must comply. HIPAA protects medical records and other individually identifiable health information, whether transmitted on paper, in computers, or orally. Orlando Health is committed to complying with HIPAA.
What is PHI?
PHI stands for Protected Health Information. This is data, including demographic information, collected about an individual and created or received by Orlando Health that: (1) relates to an individual's past, present or future physical or mental condition, an individual's health care, or that relates to the past, present or future payments for a person's health services. Second, it can be used as an identifier to identify a person.
What does the privacy policy require of the average healthcare provider, including Orlando Health?
Here are some of the requirements:
- Educate patients about their privacy rights and how the information may be used.
- Obtain patient authorization for specific uses and disclosures of PHI.
- Establish clear data protection procedures.
- Train your employees to understand privacy practices.
- Designate an individual responsible for ensuring that privacy practices are adopted and followed.
- Secure patient records containing PHI so that they are not readily accessible to those who do not need them.
Can doctors and other health care providers share patient health information for treatment purposes without the patient's consent?
Yes. The Privacy Policy allows doctors, nurses, hospitals, laboratory technicians and healthcare facilities to use or disclose PHI for treatment purposes without the patient's consent. Other uses and disclosures may require permission under local law. See Health Information Management for specific guidelines.
What is the Statement of Privacy Practices?
The Notice of Privacy Practices is a one-time document provided to all patients upon their registration for care at Orlando Health. The notice describes how the patient's health information can be used and disclosed, and how the patient or their guardian can access their health information.