Overview of HIPAA Regulations: Health Insurance Portability and Accountability Act

1
Overview of HIPAA RegulationsHealth Insurance
Portability and Accountability Act

• HIPAA and YOU!

2
So What Is This HIPAA Thing?

• HIPAA stands for Health Insurance Portability and
  Accountability Act
• It is federal legislation intended to implement
  simplifications in the administration of health
  care plans and their associated claim and payment
  processes.

3
What Does HIPAA Do?

• The Health Insurance Portability and
  Accountability Act of 1996 sets forth specific
  provisions for
• Standardized health information transactions
• Standardization of code sets
• National identifiers for providers, health
  plans/payers and employers
• Security and privacy of health information

4
Y2K Analogy

• One of the important concepts to HIPAA is that,
  unlike Y2K, it is not a destination, it is a
  process an ongoing process

5
HIPAA Will Effect.
6
HIPAA Applies To .

• Any entity collecting, creating, maintaining, or
  disseminating individually identifiable health
  information (IIHI)

7
Who Needs To Comply?

• There are two groups defined by HIPAA that must
  comply with the regulation.
• Covered Entity
• Business Partner
• Covered entities must comply with all aspects of
  HIPAA and it is towards these organizations that
  the legislation is directed.
• Business partners would be required to comply
  with HIPAA through individual contracts with each
  covered entity.

8
Who Needs To Comply?

• You must comply with HIPAA (through a contract
  with each individual covered entity) if you store
  or process protected health information.

9
Definitions Covered Entity

• all health plans, all health care
  clearinghouses, and all health care providers
  that transmit health information in an electronic
  form in connection with a standard transaction.

10
Definitions Business Partner

• a person to whom a covered entity discloses
  protected health information so that the person
  can carry out, assist with the performance of, or
  perform on behalf of, a function or activity for
  the covered entity

11
Definitions Protected Health Information

• individually identifiable health information
  that is or has been electronically transmitted or
  maintained by a covered entity

12
Applicability

• If your organization does not fit the definition
  of a covered entity, your obligations are not
  specifically defined by HIPAA. Rather, each
  covered entity is required to bind your
  organization in a contract that mandates that
  your business adhere to the same privacy
  standards as the covered entity.

13
Timing

• April 15, 2003 for
• Health care providers
• Other than small health care plans
• Health care clearinghouses

14
Administrative Simplification

• Goals include
• Improve the efficiency and effectiveness of the
  health care system
• Standardize the electronic data interchange of
  certain administrative financial transactions
• Protect the security and privacy of transmitted
  information

15
Privacy Policy

• The privacy policy must insure that protected
  health information be carefully guarded and only
  revealed following strict guidelines.
• Key components of a privacy policy include

• A statement as to what information maintained by
  the company is to be considered private.
• A procedure to disclose protected information
  that has been authorized for release.
• A procedure to deny disclose protected
  information that has not been authorized for
  release.
• A section on staff training with an ongoing
  education requirement (maximum three years
  between trainings)

16
Privacy Policy

• A covered entity or its business associates
  cannot
• Access
• Use
• Disclose protected health information without
  consent or authorization from the individual
  unless being used for treatment, payment or
  healthcare operations

17
Why Pay Attention?

• Civil
• 100 per violation
• Up to 25,000 per year
• for multiple violations of same provision.

• Criminal
• 50,000 fine
• One year in prison or both
• If under False pretenses
• 100,000 fine
• 5 years prison or both
• If under Criminal Intent to sell, transfer,
• 250,000 fine
• 10 years prison, or both

18
Individual Privacy RightsEmployees Must Be
Notified

• How the covered entity will use or disclose
  protected health information
• Right to access, inspect and copy records
• Request restrictions on the release
• Request amendment of records
• Receive accounting of all disclosures which are
  not for payment, treatment, operations

19
What Should I Do?

• Dont get caught doing nothing..
• Gap Assessment
• Document, Document, Document
• Form a HIPAA Team
• Develop a Plan
• Work the Plan

20
What Should I Do?

• Once you have a formal understanding of how
  protected health information moves through your
  organization, you can begin to develop policies
  to address HIPAA compliance. HIPAA (like most
  privacy/security issues) is mostly about policy.

21
QUESTIONS??