HIPAA

Published on January 2017 | Categories: Documents | Downloads: 43 | Comments: 0 | Views: 516
of 3
Download PDF   Embed   Report

Comments

Content

HIPAA Refresher

What is HIPAA?
HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996. It is set of statutes designed to improve the efficiency and effectiveness of the US health care system. HIPAA does the following:

   

Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs; Reduces health care fraud and abuse; Mandates industry-wide standards for health care information on electronic billing and other processes; and Requires the protection and confidential handling of protected health information

The HIPAA Privacy regulations require health care providers and organizations, as well as their business associates, develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. This applies to all forms of PHI, including paper, oral, and electronic, etc. Furthermore, only the minimum health information necessary to conduct business is to be used or shared.

HIPAA is organized into separate "Titles."

 

Title I: Title I of HIPAA provides rules to "improve the portability and continuity of health insurance coverage" for workers when they change employers. Title II: Title II of HIPAA provides rules for controlling health care fraud and abuse, and includes an "Administrative Simplification" section that sets standards for enabling the electronic exchange of health information.

Provisions in the "Administrative Simplification" section of Title II include rules protecting the privacy and security of health data. These rules are enforced by the US Department of Health and Human Services Office for Civil Rights (OCR):
 
The Privacy Rule protects the privacy of individually identifiable health information. The Security Rule sets national standards for the security of electronic protected health information (ePHI).

THE HITECH ACT:
In 2009, HIPAA enforcement rules were strengthened by the Health Information Technology for Economic and Clinical Health (HITECH) Act. Subtitle D of the HITECH Act improved privacy and security provisions found in the original HIPAA privacy and security rules. The Health Information Technology for Economic and Clinical Health Act (HITECH Act or "The Act") is part of the American Recovery and Reinvestment Act of 2009 (ARRA). ARRA contains incentives related to health care information technology in general (e.g. creation of a national health care infrastructure) and contains specific incentives designed to accelerate the adoption of electronic health record (EHR) systems among providers. Because this legislation anticipates a massive expansion in the exchange of electronic protected health information (ePHI), the HITECH Act also widens the scope of privacy and security protections available under HIPAA; it increases the potential legal liability for non-compliance; and it provides for more enforcement.

1

HIPAA Refresher

What types of entities must comply with HIPAA?

HIPAA applies to and affects virtually all health care-related organizations which it refers to as “covered entities”. These covered entities include health plans, providers (such as hospitals, doctors labs, dentists, etc.) health care clearinghouses, and federal Medicare and State Medicaid programs. Other state and local government programs may be impacted too, even if they do not meet the definition of a covered entity. Furthermore, HIPAA regulates the use and disclosure of what it calls “protected health information” (PHI for short). PHI is defined as individually identifiable health information created or received by a covered entity that relates to the past, present or future physical or mental condition, provision of health care or payment for health care. PHI may be released by a covered entity if the purpose is for the treatment of the patient, payment for a health care provider's services or certain business operations of the covered entity. HIPAA and the Indiana State Department of Health: The Indiana State Department of Health (ISDH) is a hybrid entity under HIPAA. This means that while the primary purpose of the ISDH is not to be a health care provider, health care plan or health care clearinghouse some of its components meet those definitions. The programs that can be classified as meeting HIPAA definitions of covered entities must comply with HIPAA's regulations. The ISDH HIPAA covered programs are:
o o o o o o

Breast and Cervical Cancer Program Children’s Special Health Care Services Program Genomics/Newborn Screening Program Hemophilia Program HIV Medical Services Program At the current time, other ISDH programs are not required to comply with HIPAA, although other laws may apply to them and require protection of individuals’ information.

What is sensitive data, and how is it protected by law:
Often, context plays a role in data sensitivity; thus, this list is not exhaustive:


Personal and financial data, including:
o o o o o o o

Social Security number (SSN) Credit card number or banking information Passport number Foreign visa number Tax information Credit reports Anything that can be used to facilitate identity theft (e.g., mother's maiden name)

2

HIPAA Refresher



Federally protected data, including: FERPA-protected information (e.g., student information and grades) HIPAA-protected information (e.g., health, medical, or psychological information) State protected data
o o



The state of Indiana has recently enacted data protection and disclosure laws, specifying certain data as sensitive "personal information". Indiana's notification law reads: Sec. 3. (a) As used in this chapter, "personal information" means: A. An individual's: First name and last name; or First initial and last name; and At least one (1) of the following data elements: Social Security number Driver's license number or identification card number Account number, credit card number, debit card number, security code, access code, or password of an individual's financial account University restricted data Human subjects research data Passwords
o o o o o

D.

  

Following are some examples of non-sensitive data. Again, this list is not exhaustive:


Publicly available information that is lawfully made available to the public from records of another federal or local agency Information that would appear in the telephone directory The last four digits only of a Social Security number or credit card number

 

3

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close