|Sponsored by the HealthcareTrainingInstitute.org providing Quality Education since 1979|
HIPAA is the Health Insurance Portability and Accountability Act, and it was passed with broad bipartisan congressional support in 1996. At the time the legislation was enacted, most behavioral health and human service providers were focused on three important provisions of HIPAA:
Today, that little phrase makes the other two provisions of the act pale in significance when it comes to impact on the healthcare system over the next two to four years. Because of this, many experts have characterized HIPAA as one of the most far-reaching pieces of healthcare legislation ever enacted.
The "administrative simplification" features of HIPAA are really composed of two major parts:
Why all the concern? I believe that behavioral health and human service organizations will face the most scrutiny from consumers because:
There are requirements limiting the disclosure of psychotherapy notes that we believe will cause serious concern once the privacy and security regulations are finalized. We will have more to say on this in future issues.
Let's make one thing clear: If you are reading this article, you are probably covered by HIPAA. Overall, the legislation covers health plans, healthcare clearinghouses, healthcare providers and employers. The specific definitions of these entities are:
For those still doubtful about their HIPAA "exposure," let's look at the specific definitions of the act. It specifically states that the definition of a healthcare provider is:
Among other things, "healthcare" is defined as follows: Services or supplies furnished to an individual and related to the health of the individual. Healthcare includes the following: preventive, diagnostic, therapeutic, rehabilitative, maintenance or palliative care; counseling; service; or procedure with respect to the physical or mental condition, or functional status, of an individual or affecting the structure or function of the body.
If, after reading this and other material pertaining to HIPAA (see "Additional Resources," page 41), you believe that you are not covered by this legislation, I strongly suggest you obtain a competent legal opinion from an attorney with experience in healthcare, including interpretation of Medicare regulations and HIPAA itself.
In addition, HIPAA covers any "business partner" of a covered entity. A business partner includes a person to whom the covered entity discloses protected health information so that the person can carry out, assist with the performance of or perform on behalf of a function or activity for the covered entity. Examples include contractors or other persons who receive information for purposes noted above, including lawyers, accountants, auditors, consultants and billing firms.
Covered entities cannot disclose protected health information to business partners without satisfactory assurances that the partner complies with relevant HIPAA standards.
Step 1: Educate yourself, and promote awareness and education among senior management and the board of directors. HIPAA should be considered a serious compliance initiative, and every effective compliance program begins with a formal commitment from the governing body.
Because this compliance will require resources in the form of funding and staff time, senior management must be forthright in its approach to the compliance effort. (Web sites that offer downloadable presentation materials are listed in "Additional Resources.")
Step 2: Develop an organization project team for managing HIPAA compliance. Most organizations had some sort of compliance committee or team in place for Y2K preparations or have one for JCAHO, CARF or other accreditation and/or regulatory concerns. These teams can serve as a logical point to begin HIPAA compliance assessments and planning.
Step 3: Conduct an organizational risk assessment. This can be a complicated and time-consuming task. I suggest the following approach:
Step 4: Develop and implement policies and procedures to address identified risks. The most important point of this step is to implement "policies and procedures" revisions and additions. There might be adjustments to the overall project plan in this phase because:
Step 5: Develop and implement staff education and training. This is specifically required by the legislation, and is not a one-time event. Staff will need to be retrained when new technology and operational practices are developed and deployed. Organizations with high staff turnover will face the most cost and management burdens in keeping staff up to speed. Additionally, under the law, staff will have to be recertified in this at least once every three years.
Step 6: Provide continual auditing and monitoring of compliance activities. This goes beyond putting something on paper. In order to be judged compliant, an organization will have to document that it has followed those policies and procedures approved by senior management and the board of directors.
While there is some speculation about the fate of these regulations given the change in the White House, most industry observers believe that there is no legislative mandate for change in the coming years. Even in the event that the Bush administration rolls back HIPAA, market pressures, consumer concerns about privacy, payer pressures for standardized transaction formats and political pressures might restore the regulations. That is why it is important to:
Based on my understanding of the regulations and their potential cost impact to organizations, I believe that there might be a positive cost/benefit to compliance. I have completed development of some initial cost models based on various organization sizes, and my conclusions are:
While there is certainly variation in these estimates, my simulation modeling demonstrated that 90% of organizations should realize cost/ benefit value of at least $1.34. I believe that, overall, an organization can experience a positive long-term benefit in complying with HIPAA.
Reflection Exercise #3
Ethics CEU QUESTION 10
Others who bought this Confidentiality Course
Ethics CEU Answer Booklet for this course | Confidentiality
Forward to Section 11
Back to Section 9
Table of Contents
This attention on documentation of HIPAA compliance is likely the result of the OCR's recent HIPAA audit, the frequent assessments of large civil penalties for HIPAA violations by the OCR, and the U.S. Department of Justice Fraud Section's new formal ...
The Department of Health and Human Services' Office for Civil Rights (OCR) has stepped up its enforcement activities in recent years, and 2016 was a very busy year in Health Insurance Portability and Accountability Act (HIPAA) enforcement activity. In ...
Metro Community Provider Network agrees to $400k HIPAA settlement
Health Center Agrees to $400K OCR HIPAA Settlement
Overlooking risks leads to breach, $400,000 settlement | HHS.gov
For organizations using containerized environments to handle ePHI, ensuring HIPAA compliance without sacrificing the benefits of containers can be a challenge. Twistlock's Guide to HIPAA Compliance for Containers outlines clear steps to design and ...
The National Law Review
As the healthcare industry has expanded to providing home healthcare services, more service providers are allowing their employees to work remotely, i.e., telecommuting. The flexibility for healthcare workers to work from anywhere with an Internet ...
But what exactly are HIPAA business associates? Are they held to the same healthcare privacy and security requirements as covered entities? What happens when they violate their obligations? In this primer, HealthITSecurity.com takes a deeper look at ...
CEU Continuing Education for
Social Worker CEUs, Counselor CEUs,Psychologist CEUs, MFT CEUs