HIPAA is an acronym that stands for Health Insurance Portability and Accountability Act. This Act of 1996 was passed into a law to create a national standard for protecting the privacy of patients’ personal health information (PHI) by the Privacy Rule of the Department of Health and Human Services. The law is intended to protect health information by establishing transaction standards for the exchange of health information, security standards HIPAA Service, and privacy standards for the use and disclosure of individually identifiable health information. HIPAA deals with deals with the security and privacy of health information and applies to health care providers and employer group health plans. A person who handles patient documentation of any type should be educated on HIPAA compliance.
Principles of HIPAA
- To improve portability and continuity of health insurance coverage in the group and individual markets
- To combat waste, fraud, and abuse in health insurance and health care delivery
- To reduce costs and the administrative burdens of health care by improving efficiency and effectiveness of the health care system by standardizing the interchange of electronic data for specified administrative and financial transactions
- To ensure protecting the privacy of Americans’ personal health records by protecting the security and confidentiality of health care information
How to Comply with HIPAA
There are several ways one may qualify as a “Covered Entity” that is required to comply with the terms of HIPAA. Some of these are apparent like health care. In case one’s organization qualifies as a “health plan,” then also one is considered a Covered Entity. Health plan is nothing but any organization that “provides medical care, including items and services paid for as medical care, to employees or their dependents directly or through insurance.” If you offer employees medical care through a self-insured plan, chances are that you’re covered under HIPAA. Other organizations may fall under the “health care clearinghouse” provision based upon their responsibilities for processing health care data.
Once you are covered under HIPAA, there are two specific regulations of interest. These are: the HIPAA Privacy Rule and the HIPAA Security Rule.
HIPAA Privacy Rule
The Privacy Rule protects all individually identifiable protected health information (PHI) maintained by the Covered Entity. It is not specific to electronic information and applies equally to written records, telephone conversations, etc. According to the Department of Health and Human Services, PHI includes data that relates to:
- the individual’s past, present or future physical or mental health or condition or
- the provision of health care to the individual or
- the past, present, or future payment for the provision of health care to the individual
HIPAA Security Rule
The Security Rule deals with electronic Protected Health Information (ePHI), which is created, received, used, or maintained by a covered entity. The Security Rule requires implementation of three types of safeguards: 1) administrative, 2) physical, and 3) technical. Various security standards are identified by the rule for each of these types, and for each standard, it names both required and addressable implementation specifications. Required specifications must be adopted and administered as dictated by the Rule. Addressable specifications are more flexible. Individual covered entities can evaluate their own situation and determine the best way to implement addressable specifications.