|Sponsored by the HealthcareTrainingInstitute.org providing Quality Education since 1979|
HIPAA is the Health Insurance Portability and Accountability Act, and it was passed with broad bipartisan congressional support in 1996. At the time the legislation was enacted, most behavioral health and human service providers were focused on three important provisions of HIPAA:
Today, that little phrase makes the other two provisions of the act pale in significance when it comes to impact on the healthcare system over the next two to four years. Because of this, many experts have characterized HIPAA as one of the most far-reaching pieces of healthcare legislation ever enacted.
The "administrative simplification" features of HIPAA are really composed of two major parts:
Why all the concern? I believe that behavioral health and human service organizations will face the most scrutiny from consumers because:
There are requirements limiting the disclosure of psychotherapy notes that we believe will cause serious concern once the privacy and security regulations are finalized. We will have more to say on this in future issues.
Let's make one thing clear: If you are reading this article, you are probably covered by HIPAA. Overall, the legislation covers health plans, healthcare clearinghouses, healthcare providers and employers. The specific definitions of these entities are:
For those still doubtful about their HIPAA "exposure," let's look at the specific definitions of the act. It specifically states that the definition of a healthcare provider is:
Among other things, "healthcare" is defined as follows: Services or supplies furnished to an individual and related to the health of the individual. Healthcare includes the following: preventive, diagnostic, therapeutic, rehabilitative, maintenance or palliative care; counseling; service; or procedure with respect to the physical or mental condition, or functional status, of an individual or affecting the structure or function of the body.
If, after reading this and other material pertaining to HIPAA (see "Additional Resources," page 41), you believe that you are not covered by this legislation, I strongly suggest you obtain a competent legal opinion from an attorney with experience in healthcare, including interpretation of Medicare regulations and HIPAA itself.
In addition, HIPAA covers any "business partner" of a covered entity. A business partner includes a person to whom the covered entity discloses protected health information so that the person can carry out, assist with the performance of or perform on behalf of a function or activity for the covered entity. Examples include contractors or other persons who receive information for purposes noted above, including lawyers, accountants, auditors, consultants and billing firms.
Covered entities cannot disclose protected health information to business partners without satisfactory assurances that the partner complies with relevant HIPAA standards.
Step 1: Educate yourself, and promote awareness and education among senior management and the board of directors. HIPAA should be considered a serious compliance initiative, and every effective compliance program begins with a formal commitment from the governing body.
Because this compliance will require resources in the form of funding and staff time, senior management must be forthright in its approach to the compliance effort. (Web sites that offer downloadable presentation materials are listed in "Additional Resources.")
Step 2: Develop an organization project team for managing HIPAA compliance. Most organizations had some sort of compliance committee or team in place for Y2K preparations or have one for JCAHO, CARF or other accreditation and/or regulatory concerns. These teams can serve as a logical point to begin HIPAA compliance assessments and planning.
Step 3: Conduct an organizational risk assessment. This can be a complicated and time-consuming task. I suggest the following approach:
Step 4: Develop and implement policies and procedures to address identified risks. The most important point of this step is to implement "policies and procedures" revisions and additions. There might be adjustments to the overall project plan in this phase because:
Step 5: Develop and implement staff education and training. This is specifically required by the legislation, and is not a one-time event. Staff will need to be retrained when new technology and operational practices are developed and deployed. Organizations with high staff turnover will face the most cost and management burdens in keeping staff up to speed. Additionally, under the law, staff will have to be recertified in this at least once every three years.
Step 6: Provide continual auditing and monitoring of compliance activities. This goes beyond putting something on paper. In order to be judged compliant, an organization will have to document that it has followed those policies and procedures approved by senior management and the board of directors.
While there is some speculation about the fate of these regulations given the change in the White House, most industry observers believe that there is no legislative mandate for change in the coming years. Even in the event that the Bush administration rolls back HIPAA, market pressures, consumer concerns about privacy, payer pressures for standardized transaction formats and political pressures might restore the regulations. That is why it is important to:
Based on my understanding of the regulations and their potential cost impact to organizations, I believe that there might be a positive cost/benefit to compliance. I have completed development of some initial cost models based on various organization sizes, and my conclusions are:
While there is certainly variation in these estimates, my simulation modeling demonstrated that 90% of organizations should realize cost/ benefit value of at least $1.34. I believe that, overall, an organization can experience a positive long-term benefit in complying with HIPAA.
Reflection Exercise #3
Ethics CEU QUESTION 10
Others who bought this Confidentiality Course
Ethics CEU Answer Booklet for this course | Confidentiality
Forward to Section 11
Back to Section 9
Table of Contents
September 22, 2017 - Covered entities should not be afraid to regularly review OCR HIPAA guidance and ensure that they remain compliant, even as they add new technologies into the daily workflow, according to OCR Senior Advisor for HIPAA Compliance ...
Healthcare IT News
Healthcare IT News
HIPAA was established before these cyber threats became such an issue, which can cause some challenges with trying to keep up, said Matt Fisher, partner with Mirick O'Connell, in opening the HIPAA compliance session at the Healthcare Security Forum on ...
Business Wire (press release)
SAN FRANCISCO--(BUSINESS WIRE)--Layer Inc. today announced it has met requirements for HIPAA privacy and security compliance, demonstrating its ongoing commitment to powering the next generation of healthcare technology and increasing ...
HIPAA noncompliance among payers and concerns about overpayment recovery among providers are among the issues identified by a national health IT workgroup that has limited the adoption of electronic payments designed to streamline administrative ...
But even though HIPAA allows flexibility for patient information to be shared in emergency situations without a waiver, the issue has been a source of confusion, says privacy attorney David Holtzman, vice president of compliance at security consulting ...
CEU Continuing Education for
Social Worker CEUs, Counselor CEUs,Psychologist CEUs, MFT CEUs