The Health Insurance Portability and Accountability Act of 1996 (HIPAA) HIPAA was signed into federal law in 1996 (Public Law 104-191). The intent of HIPAA is to improve the efficiency and effectiveness of the health care system through the establishment of standards and requirements for the electronic transmission of certain health information, by combating fraud, waste, and abuse and by establishing security and privacy standards.
HIPAA is the single most significant Federal legislation affecting the health care industry since the creation of the Medicare and Medicaid programs in 1965. Title I of the Act improves the portability and continuity of health insurance coverage for millions of American workers and their families. Title II provides for administrative simplification that requires the development of standards for the electronic exchange of health care information.
Privacy and security of your health information is an important part of your care. Federal and state laws have been created to protect your health information through various requirements and provisions that limit uses and disclosures, prevent unauthorized access and sharing, and provide appropriate safeguards. Whether your information is stored on paper or electronically, your health information is protected by various laws. The following list of Federal and State laws (and links) provide information about many of the protections that you have as a California patient.
HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other personal health information and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.
The Rule also gives patients' rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
The privacy regulation specifies how health care organizations and their business partners transfer, receive, handle, protect and disclose protected health information (PHI). The regulation applies to all forms of PHI, whether paper, oral or electronic. Health care organizations are required to create privacy conscious business practices and data systems, which include the requirement that only the minimum amount of health information necessary is used or disclosed to conduct business.
The Privacy Rule is located at 45 CFR
Part 160 and Subparts A and E of
HIPAA Security Rule establishes national standards to protect individuals' electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information (ePHI).
The Security Rule is located at 45 CFR
Part 160 and Subparts A and C of
The security rule is divided into four categories:
The complete suite of HIPAA Administrative Simplification Regulations can be found at 45 CFR Parts 160, 162, and 164.
Title II of GINA, it is illegal to discriminate against employees or applicants because of genetic information.
Title II of GINA prohibits the use of genetic information in making employment decisions, restricts employers and other entities covered by Title II (employment agencies, labor organizations and joint labor-management training and apprenticeship programs - referred to as "covered entities") from requesting, requiring or purchasing genetic information, and strictly limits the disclosure of genetic information.
This law protects the privacy of medical information by limiting disclosures of providers of health care, health care service plans, and contractors.
This law was amended to further define administrative fines or civil penalties for any person or entity including licensed health care professionals who knowingly and willfully obtains, discloses, or uses medical information in violation of the Confidentiality of Medical Information Act.
This law requires certain health facilities to prevent unlawful or unauthorized access to, or use or disclosure of, a patient's medical information. It sets fines and notification requirements for breaches of patient medical information and requires facilities to report such breaches to the California Department of Public Health.
This law establishes within the California Health and Human Services Agency the Office of Health Information Integrity to ensure the enforcement of state law mandating the confidentiality of medical information. The law requires every provider to establish and implement safeguards to protect the privacy of patients' medical information.
This law prohibits a business from seeking to obtain medical information from an individual for direct marketing purposes without, (1) clearly disclosing how the information will be used and shared, and (2) getting the individual's consent.
With minor limitations, this law gives patients the right to see and copy information maintained by health care providers relating to the patients' health conditions. The law also gives patients the right to submit amendments to their records, if the patients believe that the records are inaccurate or incomplete.
This law requires companies that collect personal information to notify each person in their database should there be a security breach involving personal information such as their Social Security number, driver's license number, account number, credit or debit card number, or security code or password for accessing their financial account.
This section defines "personal information" which includes medical information and health insurance information. It defines "medical information" as any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional. The provision defines "health insurance information" as any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records.
Covered Entities & Business Associates Affected
The Department of Health and Human Services issued this final rule to: Modify the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Enforcement Rules to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act ("the HITECH Act") to strengthen the privacy and security protection for individuals' health information; modify the rule for Breach Notification for Unsecured Protected Health Information (PHI)(Breach Notification Rule) under the HITECH Act; modify the HIPAA Privacy Rule to strengthen the privacy protections for genetic information by implementing section 105 of Title I of the Genetic Information Nondiscrimination Act of 2008 (GINA); and make certain other modifications to the HIPAA Privacy, Security, Breach Notification, and Enforcement Rules (the HIPAA Rules) to improve their workability and effectiveness and to increase flexibility for and decrease burden on the regulated entities.
The core driver behind the HIPAA Omnibus Final Rule – is to improve the quality, integrity, accessibility and confidentiality of a patient's PHI. The federal Department of Health and Human Services ("HHS") and Office for Civil Rights ("OCR") issued the amendments which affect the Privacy, Security, Breach Notification and Enforcement Rules of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.
March 26th, 2013 is the effective date, and Sept. 23rd, 2013 is the compliance enforcement date. The rule, which modifies the
HIPAA privacy, security and enforcement rules as well as the HIPAA breach notification rule, includes greater accountability and documentation requirements.
The Omnibus Rule is based on statutory changes under the HITECH Act, enacted as part of the American Recovery and Reinvestment Act of 2009, and the Genetic Information Nondiscrimination Act of 2008 (GINA) which clarifies that genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.
The rule greatly enhances a patient's privacy protections,
Vendors providing services to healthcare organizations need to take the initiative to carefully determine if they qualify as a BA under the expanded definition which includes subcontractors that handle protected health information (PHI). HIPAA Omnibus makes it clear that BA's and their subcontractors must comply with most HIPAA provisions.
The first HIPAA Final Rule, federal legislation issued in October 2000, adopts standards for eight electronic health transactions and for code sets to be used in those transactions. Health claims, health plan eligibility, enrollment and disenrollment in a health plan, payments for care and health plan premiums, claim status, referral certification and authorization, coordination of benefits, and related transactions, are all examples of electronic health transactions. Today, health providers and plans use many different electronic formats for these transactions. This rule requires everyone to use specific electronic formats for these transactions. Standards for the first report of injury and claims attachments will be adopted at a later date.
Use of standard code sets will also be required in all health transactions. Standards will be adopted for coding systems that describe diseases, injuries, and other health problems, as well as their causes, symptoms, and actions taken to prevent, diagnose, treat, or manage these diseases, injuries, and other health problems. Standards will be set for any substances, equipment, supplies, or other items used to perform these actions as well.
National standards for electronic health care transactions will encourage electronic business in the health care industry and simplify the processes involved. Standardization will improve the overall data quality, reduce handling and processing time, eliminate the risk of lost paper documents and inefficiencies of handling paper documents, and decrease administrative costs for providers.
Virtually all health plans will have to adopt these standards, even if a transaction is submitted by paper, phone or FAX. Providers using non-electric transactions are not required to adopt the standards; although if they don't, they will have to contract with a clearing-house to provide translation services.
Health care organizations are currently able to assign proprietary identifiers to identify health care providers, employers, health plans and individuals. This lack of standardization has lead to system incompatibilities, administrative inefficiencies and accuracy problems. These rules will eventually establish standards for unique identifiers for providers, plans, employer and individuals.
Under a proposed standard related to EDI (electronic data interchange) formats, National Provide Identifiers (NPI) would be assigned to all providers and used by both public and private health plans. As proposed in the Federal standard, NPIs would be used by all health organizations that conduct HIPAA-specific electronic transactions. The NPI was proposed as an 8-digit alphanumeric identifier. However, many of those who have commented on the proposed rule prefer a 10-digit numeric identifier. Finalization of the specifications are expected in the future.
Employers frequently also have to be identified in electronic health care transactions. The adoption of the Employer Identification Number (EIN) as the standard unique identifier for employers in the filing and processing of health care claims and other transactions becomes effective July 30, 2002. The EIN is issued and maintained by the Internal Revenue Service (IRS). Businesses that pay wages to employees already have EIN's. The identifier has nine digits with the first two digits separated by a hyphen as follows: 00-0000000.
Off-site link to the
Centers for Medicaid and Medicare Services (CMS) a Federal agency within the U.S. Department of Health and Human Services. (The CMS HIPAA glossary should not be considered a legal document.)