503-359-1275
503-359-1275
 
Tag Archives:

HIPAA History and Background

HIPAA History and Background – Continuing with HIPAA

HIPAA History and Background

That was the first post on this topic and we quoted an article by Daniel J. Solove that is an excellent resource on HIPAA. In this post we start putting the pieces of HIPAA together and we begin by asking the question:

What is HIPAA?

The acronym stands for Health Insurance Portability and Accountability Act of 1996. And nothing makes the case for protecting the health information of the public as their own preamble to the HIPAA Privacy Rule which states:

“According to the American Health Information Management Association (AHIMA), an average of 150 people “from nursing staff to X-ray technicians, to billing clerks” have access to a patient’s medical records during the course of a typical hospitalization. While many of these individuals have a legitimate need to see all or part of a patient’s records, no laws govern who those people are, what information they are able to see, and what they are and are not allowed to do with that information once they have access to it.”

An average of 150 people look at your medical records when you’re hospitalized

Did you know that? I didn’t! But ending up in the hospital has happened to me on more than a couple of occasions. And because my personal health information (PHI) has already been breached (once that I know of) I’m glad that the legislators in Washington D.C. finally did something about protecting me.

The primary role of HIPAA

In layman’s terms, the goal of HIPAA is to: http://health.state.tn.us/hipaa/  
• make it easier for people to keep health insurance from job to job
• protect the confidentiality and security of healthcare information
• control administrative costs
• restrict health plans from requiring pre-existing conditions

Notable Dates of HIPAA

Privacy Rule – Enacted in April 2003, this rule addressees protected health information (PHI).

Security Rule – Enacted in February 2003, this rule deals with electronic health information (ePHI) which is essentially a subset of what the Privacy Rule encompasses. In terms of actual regulatory text, the Security Rule only spans approximately 8 pages, but it is highly technical in nature.

Administration Simplification – Provisions enacted in 2006 that required the Department of Health and Human Services (HHS), to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security.

HITECH Act/Breach Notification – Enacted in 2009, is the Application of Security Provisions, Application of Civil and Criminal Penalties and Annual Guidance.

Omnibus Rule/Final Rule – Enacted in 2013, the Final Rule strengthens the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

What Does HIPAA Regulate?

HIPAA regulates “covered entities” that consist of healthcare providers, healthcare plans, and clearinghouses that process health data in the electronic format specified in the HIPAA statute. With the release of the Omnibus Rule, “Final Rule”, HIPAA now includes “business associates” or entities that contract with covered entities and that receive, create, transmit or maintain protected health information (PHI).

The HIPAA Privacy Rule governs PHI, which is any “individually identifiable health information” – a broad definition including paper records.

The HIPAA Security Rule is narrower, applying only to “electronic” PHI, or e-PHI.

Bird’s eye view of HIPAA includes:

Privacy Program – HIPAA mandates that covered entities designate a privacy official to develop and implement policies for protecting privacy and handle questions and complaints. HIPAA also requires training of personnel.
Limitations on Disclosure and Use – HIPAA requires that people authorize disclosure of their PHI unless an exception applies, such as a legal requirement or to report abuse, or for treatment, payment, or healthcare operations. The “minimum necessary rule” requires that only the minimum necessary PHI be accessed and used.
Patient Rights – HIPAA provides a set of rights to patients, including a right to be given a notice about the privacy practices of a covered entity, a right to access PHI, and a right to file a complaint alleging a HIPAA violation without retaliation.
Security Safeguards – For e-PHI, the HIPAA Security Rule provides a detailed series of administrative, physical, and technical safeguards.
State Law – HIPAA did not preempt stronger state law protections, so any state law that is more protective remains in effect.

HIPAA Enforcement

The Department for Health and Human Services (HHS), Office for Civil Rights (OCR) is responsible for the civil enforcement of HIPAA. There are also criminal penalties for certain wrongful disclosures of PHI. However, HIPAA does not have a private right-of-action, meaning that people whose HIPAA rights are violated cannot sue for damages – though they can still sue if state law is violated.

In our next post we’ll continue talking about: each of the major HIPAA provisions in more detail.

FREE BUSINESS ADVISORY GUIDE

If your company is a health plan, health care clearinghouse, health care provider, insurance broker etc. and you’re relying on tape drives, external hard drives, or USB devices to back up your protected health data (PHI), then it’s critical for you to get and read: 12 Little-Known Facts Every Business Owner Must Know About Data Backup, Security And Disaster Recovery. You’ll learn what most IT consultants don’t know or won’t tell you about making sure your company’s critical data is safe from loss, corruption, cyber criminals, natural disasters and employee sabotage, in addition to:
• The only way to know for SURE your data can be recovered if lost, corrupted or deleted – yet fewer than 10% of businesses have this in place.
• 7 critical characteristics you should absolutely demand from any offsite backup service; do NOT trust your data to any company that does not meet these criteria.
• Where tape backups fail and give you a false sense of security.
• The #1 cause of data loss that most businesses don’t even think about until their data is erased.

You can download your Free Business Advisory Guide Here.

This guide explains in plain every day English what you need to know about data backup, security and disaster recovery.

And don’t worry about some sales guy calling you from our office because you downloaded information off of our website. No one from our office will call you; I promise. We don’t like sales calls any more than you do! We understand if you’re not ready to do that, and if that’s the case, then just read these posts when they come out. We post on a regular schedule.

Have you started your HIPAA compliance initiative?

With small health care practices as part of our growing family, we are committed to HIPAA compliance and creating a culture of compliance. We know first-hand that HIPAA compliance for small health care practices is daunting. As a business associate we’re going through it ourselves. We’re actually doing it, not just writing about it.

Do you need some technology help in your health care practice? Would you like to work with a technology company that is dedicated to a culture of HIPAA compliance?

Give us a call at 503.359.1275. We’re always happy to chat!

For more information visit: http://dtsinfotech.com/hipaa-compliance-for-small-health-care-practices

Dedicated to your success,

Wally Moore
General Manager & Compliance Officer
DTS InfoTech . . . computer networks that work

503.359.1275

www.dtsinfotech.com

 

HIPAA History and Background

HIPAA History and Background

From a business associates perspective it’s very interesting, to say the least.

As an IT Company, it’s apparent to me the massive change this legislation has brought about is not going to stop; there is too much change occurring in Information Technology at all levels and at all times.

Of course this directly impacts the Security Rule (SR) under HIPPA. Enacted in February 2003, the SR deals with electronic health information (ePHI) which is essentially a subset of what the Privacy Rule encompasses. In terms of actual regulatory text the Security Rule only spans approximately 8 pages, but it is highly technical in nature. Because technology is changing all the time the Final Rule, Omnibus, will not be the final change for HIPAA.

A business associates perspective

Rather than writing another article on HIPAA History and Background, to get this series started I am quoting from an excellent article, written by Daniel J. Solove, entitled:

HIPAA Turns 10 Analyzing the Past, Present and Future Impact. Journal of AHIMA 84, no.4 (April 2013): 22-28.

Mr. Solove writes:
“Ten years ago after countless years of germination and many twists and turns, the HIPAA Privacy Rule finally became effective. It would soon be followed by the HIPAA Security Rule – which was published in 2003 and became effective in 2005 – and eventually by the HIPAA Enforcement Rule and the Breach Notification Rule as well.

HIPAA’s length compares to that of a Tolstoy novel—since it contains some of the most detailed and comprehensive requirements of any privacy and data security law. When the HIPAA regulation initially went into effect, it generated significant skepticism, confusion, and even angst. Many in the healthcare industry asked: Would it be possible to provide efficient healthcare and comply with all of HIPAA’s requirements? What did protecting the confidentiality of protected health information mean? How would HIPAA be enforced? Would HIPAA interfere with the relationships between patients and healthcare providers?

Skeptics wondered whether HIPAA might prove to be too cumbersome and expensive to comply with. Some were concerned that HIPAA wouldn’t provide meaningful privacy protection. Others worried that HIPAA would be redundant with state health privacy laws and would not add much value. People questioned whether HIPAA would really make an impact, and if any impact would be for the better or the worse.

Ten years later these questions have largely been answered. HIPAA has evolved during the past decade and was greatly fortified by the 2009 HITECH Act and its HIPAA modification regulations released in January 2013. Whatever one might think about HIPAA, it is hard to dispute that it has had a vast impact on patients, the healthcare industry, and many others over the last 10 years—and will continue to shape healthcare and HIM professionals for many more years to come.”

HIPAA and the HITECH Act

The HITECH Act is where our company DTS InfoTech got involved in HIPAA. Up to that time, we believed that there was a difference between a covered entity and a business associate. Which is another way of saying that we were not bound by the same rules covered entities were. But with the enactment of HITECH business associates are now directly on the hook for protected health information just like covered entities.

And that’s what we’re addressing in this series of blog posts, business associates and HIPAA Compliance. If you’re a business associate, acting as a sub-contractor to a covered entity, and you are not HIPAA compliant, you better wake up and smell the audit(s) that are sure to come our way.

In our next post we’ll continue talking about: HIPAA History and Background

FREE BUSINESS ADVISORY GUIDE

If your company is a health plan, health care clearinghouse, health care provider, insurance broker etc. and you’re relying on tape drives, external hard drives, or USB devices to back up your protected health data (PHI), then it’s critical for you to get and read: 12 Little-Known Facts Every Business Owner Must Know About Data Backup, Security And Disaster Recovery. Learn for yourself what most IT consultants don’t know or won’t tell you about making sure your company’s critical data is safe from loss, corruption, cyber criminals, natural disasters and employee sabotage, in addition to:

• The only way to know for SURE your data can be recovered if lost, corrupted or deleted – yet fewer than 10% of businesses have this in place.
• 7 critical characteristics you should absolutely demand from any offsite backup service; do NOT trust your data to any company that does not meet these      criteria.
• Where tape backups fail and give you a false sense of security.
• The #1 cause of data loss that most businesses don’t even think about until their data is erased.

You can download your Free Business Advisory Guide Here.
This guide explains in plain every day English what you need to know about data backup, security and disaster recovery.

And don’t worry about some sales guy calling you from our office because you downloaded information off of our website. No one from our office will call you; I promise. We don’t like sales calls any more than you do! We understand if you’re not ready to do that, and if that’s the case, then just read these posts when they come out. We post on a regular schedule.

Conclusion

Have you started your HIPAA compliance initiative?

With small health care practices as part of our growing family, we are committed to HIPAA compliance and creating a culture of compliance. We know first-hand that HIPAA compliance for small health care practices is daunting. As a business associate we’re going through it ourselves. We’re actually doing it, not just writing about it.

Do you need some technology help in your health care practice? Would you like to work with a technology company that is dedicated to a culture of HIPAA compliance?

Give us a call at 503.359.1275. We’re always happy to chat!

For more information visit:

http://dtsinfotech.com/hipaa-compliance-for-small-health-care-practices

Dedicated to your success,
Wally Moore
General Manager & Compliance Officer
DTS InfoTech . . . computer networks that work

www.dtsinfotech.com

 

Get Help Now