Sponsored by the HealthcareTrainingInstitute.org providing Quality Education since 1979
Add to Shopping Cart

HIPAA: Setting Ethical Client Boundaries
3 CEUs HIPAA: Setting Ethical Client Boundaries

Section 6
HIPAA Privacy Standards Raise Complex
Implementation Issues

Question 6 | Ethics CEUs Answer Booklet | Table of Contents | Confidentiality CEU Courses
Social Worker CEUs, Psychologist CEs, Counselor CEUs, MFT CEUs

Under HIPAA, healthcare organizations must not only ensure the privacy of protected information, but also ensure that organizations with which they do business maintain this privacy.

In November 1999, under the mandate of the Health insurance Portability and Accountability Act (HIPAA) of 1996, HHS issued proposed standards to protect the privacy of electronically transmitted personal health information. With publication of the final standards due soon, healthcare organizations must prepare to implement new processes and information systems to comply with the HIPAA requirements. The privacy standards are intended to accomplish three broad objectives: define the circumstances in which protected health information may be used and disclosed, establish certain individual rights regarding protected health information, and require that administrative safeguards be adopted to ensure the privacy of protected health information. Among the required administrative safeguards are designation of a privacy officer, implementation of compliance training programs for all applicable staff, establishment of a complaint system, and implementation of appropriate sanctions for violations of privacy requirements.

Implementation of the health information privacy standards mandated by the Health Insurance Portability and Accountability Act (HIPAA) of 1996 has caused substantial concern to the healthcare industry. Among the most significant concerns are the significant costs many healthcare organizations will incur to meet the new requirements for safeguarding electronically transmitted personal health information. HHS received roughly 52,000 comments during the comment period for the proposed rule, which was issued November 3, 1999. The sheer volume of comments caused HHS to delay publication of the final rule, which at press time was anticipated to occur before year-end 2000.

Given the extent of concern about the proposed standards, HHS may make some modifications to them before issuing the final rule. Nonetheless, the final rule is not likely to differ drastically from the proposed rule, and the final standards are certain to have a profound impact on the healthcare industry. Healthcare financial managers therefore should begin immediately to prepare for implementation of the final standards. They should familiarize themselves with the issues to ease the complex planning process that will be necessary to ensure compliance with the new privacy standards.

The HIPAA Standards
In general, the proposed HIPAA privacy standards were designed to accomplish three broad objectives:

  • Define and limit the circumstances in which entities that are subject to the standards (covered entities) may use and disclose protected health information;
  • Establish certain individual rights regarding protected health information; and
  • Require covered entities to adopt administrative safeguards to protect the confidentiality and privacy of protected health information.

As currently proposed, the HIPAA privacy standards would prohibit all covered entities from using or disclosing "individually identifiable health information" that is or has been transmitted or maintained electronically, except in certain circumstances. Unlike many medical records statutes, this requirement would not be limited to the record in which the information appears, but rather would apply to the information itself. Thus, any information that has been transmitted by fax, telephone, computer, electronic handheld device, or any other electronic means would be protected by the HIPAA standards thereafter in whatever form it might appear, including oral communications.

"Individually identifiable health information" refers to information that is created by or received from a healthcare provider, health plan, employer, or healthcare clearinghouse that relates to the past, present, or future physical or mental health or condition of an individual who is either identified directly or could reasonably be identified using the information.

"Covered entities" include healthcare providers, health plans, and healthcare clearinghouses. "Healthcare provider" refers to any provider of healthcare services as defined in relevant Medicare provisions and to any other person or organization that furnishes, bills, or is paid for healthcare services or supplies in the normal course of business. "Health plan" is defined broadly to include any individual or group plan that provides or pays the cost of medical care. "Healthcare clearinghouse" is defined as a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements. Billing companies are considered to be healthcare clearinghouses.

The proposed regulations also affect business partners of covered entities. A "business partner" is a person (or other entity) to whom the covered entity discloses protected health information to enable that person to carry out or assist with the performance of a function for the covered entity, or perform the function on behalf of the covered entity. Examples of business partners include independent contractors or other persons or entities receiving information for the purposes noted above, including lawyers, accountants, auditors, consultants, billing firms, and other covered entities.

The proposed rule specifies that covered entities may not disclose protected health information to business partners without "satisfactory assurances" that the business partner complies with relevant standards. Satisfactory assurances include certain contractual language that must be included in all contracts between the covered entities and business partners. Accordingly, covered entities would need to consider HIPAA provisions when drafting contracts with independent contractors.

Covered entities also would be required to take "reasonable steps" to ensure business partners are in compliance with the proposed regulations. Such steps are important, as a covered entity would be liable for the misdeeds of a business partner if it knew or should have known of those misdeeds. Although HIPAA only authorized HHS to regulate healthcare providers, health plans, and healthcare clearinghouses, by requiring covered entities to be responsible for compliance of their business partners, HHS effectively extended the requirement of privacy protection to entities that it was not authorized to regulate.

Penalties for Noncompliance
The proposal does not allow for a private cause of action to be taken directly; rather, aggrieved persons would be able to lodge a complaint with the covered entity and with HHS. If the complaint were made to HHS, the agency would have discretion to make a formal finding of noncompliance and use it as a basis either to initiate an action under HIPAA or to refer the matter to the Department of Justice for prosecution under HIPAA.

Under the proposed rule, noncompliance with the HIPAA privacy standards could be punishable by civil fines of up to $25,000 per calendar year for each violation and criminal penalties that would increase in severity based on intent (eg, whether the entity intended to sell the information or reap personal gain from the disclosure) and that could include a fine of up to $250,000 or a 10-year prison term, or both.
- DeMuro, Paul & Andrew Gantt; HIPAA privacy standards raise complex implementation issues; Healthcare Financial Management; Jan 2001; Vol. 55; Issue 1.
The article above contains foundational information. Articles below contain optional updates.

Personal Reflection Exercise #2
The preceding section contained information about the HIPAA privacy standards raising complex implementation issues.  Write three case study examples regarding how you might use the content of this section in your practice.

Ethics CEUs QUESTION 6
According to DeMuro, how did HIPAA extend the requirement of privacy protection to entities that it was not authorized to regulate? Record the letter of the correct answer the Ethics CEUs Answer Booklet

 
Others who bought this Confidentiality Course
also bought…

Scroll DownScroll UpCourse Listing Bottom Cap

Ethics CEUs Answer Booklet for this course | Confidentiality CEU Courses
Forward to Section 7
Back to Section 5
Table of Contents
Top

The article above contains foundational information. Articles below contain optional updates.
Four Years Since HIPAA Omnibus: What's Changed? - GovInfoSecurity.com - September 25, 2017

Four Years Since HIPAA Omnibus: What's Changed?
GovInfoSecurity.com
Most notably, the rule made business associates directly liable for HIPAA compliance and also stated that security incidents involving protected health information are presumed to be reportable HIPAA breaches unless organizations can demonstrate using ...

5 common HIPAA compliance pitfalls for healthcare orgs to avoid - Healthcare IT News - September 13, 2017

Healthcare IT News

5 common HIPAA compliance pitfalls for healthcare orgs to avoid
Healthcare IT News
HIPAA was established before these cyber threats became such an issue, which can cause some challenges with trying to keep up, said Matt Fisher, partner with Mirick O'Connell, in opening the HIPAA compliance session at the Healthcare Security Forum on ...

Reviewing OCR HIPAA Guidance to Maintain Compliance - HealthITSecurity.com - September 22, 2017

HealthITSecurity.com

Reviewing OCR HIPAA Guidance to Maintain Compliance
HealthITSecurity.com
September 22, 2017 - Covered entities should not be afraid to regularly review OCR HIPAA guidance and ensure that they remain compliant, even as they add new technologies into the daily workflow, according to OCR Senior Advisor for HIPAA Compliance ...

Ipswitch completes rigorous SOC 2, HIPAA and PCI-DSS exams Administered by data security compliance leader 360 ... - GlobeNewswire (press release) - September 25, 2017

Ipswitch completes rigorous SOC 2, HIPAA and PCI-DSS exams Administered by data security compliance leader 360 ...
GlobeNewswire (press release)
LEXINGTON, Mass., Sept. 25, 2017 (GLOBE NEWSWIRE) -- Ipswitch, the leader in easy to try, buy and use IT and network management software, with offices in the U.S., Ireland, Netherlands and Japan, has earned compliance with the demanding data ...

and more »
Layer Successfully Achieves HIPAA Compliance - Business Wire (press release) - September 14, 2017

Layer Successfully Achieves HIPAA Compliance
Business Wire (press release)
SAN FRANCISCO--(BUSINESS WIRE)--Layer Inc. today announced it has met requirements for HIPAA privacy and security compliance, demonstrating its ongoing commitment to powering the next generation of healthcare technology and increasing ...

and more »

OnlineCEUcredit.com Login


Forget your Password Reset it!