Sponsored by the HealthcareTrainingInstitute.org providing Quality Education since 1979
Add to Shopping Cart

HIPAA: Setting Ethical Client Boundaries
3 CEUs HIPAA: Setting Ethical Client Boundaries

Section 6
HIPAA Privacy Standards Raise Complex
Implementation Issues

Question 6 | Ethics CEUs Answer Booklet | Table of Contents | Confidentiality CEU Courses
Social Worker CEUs, Psychologist CEs, Counselor CEUs, MFT CEUs

Under HIPAA, healthcare organizations must not only ensure the privacy of protected information, but also ensure that organizations with which they do business maintain this privacy.

In November 1999, under the mandate of the Health insurance Portability and Accountability Act (HIPAA) of 1996, HHS issued proposed standards to protect the privacy of electronically transmitted personal health information. With publication of the final standards due soon, healthcare organizations must prepare to implement new processes and information systems to comply with the HIPAA requirements. The privacy standards are intended to accomplish three broad objectives: define the circumstances in which protected health information may be used and disclosed, establish certain individual rights regarding protected health information, and require that administrative safeguards be adopted to ensure the privacy of protected health information. Among the required administrative safeguards are designation of a privacy officer, implementation of compliance training programs for all applicable staff, establishment of a complaint system, and implementation of appropriate sanctions for violations of privacy requirements.

Implementation of the health information privacy standards mandated by the Health Insurance Portability and Accountability Act (HIPAA) of 1996 has caused substantial concern to the healthcare industry. Among the most significant concerns are the significant costs many healthcare organizations will incur to meet the new requirements for safeguarding electronically transmitted personal health information. HHS received roughly 52,000 comments during the comment period for the proposed rule, which was issued November 3, 1999. The sheer volume of comments caused HHS to delay publication of the final rule, which at press time was anticipated to occur before year-end 2000.

Given the extent of concern about the proposed standards, HHS may make some modifications to them before issuing the final rule. Nonetheless, the final rule is not likely to differ drastically from the proposed rule, and the final standards are certain to have a profound impact on the healthcare industry. Healthcare financial managers therefore should begin immediately to prepare for implementation of the final standards. They should familiarize themselves with the issues to ease the complex planning process that will be necessary to ensure compliance with the new privacy standards.

The HIPAA Standards
In general, the proposed HIPAA privacy standards were designed to accomplish three broad objectives:

  • Define and limit the circumstances in which entities that are subject to the standards (covered entities) may use and disclose protected health information;
  • Establish certain individual rights regarding protected health information; and
  • Require covered entities to adopt administrative safeguards to protect the confidentiality and privacy of protected health information.

As currently proposed, the HIPAA privacy standards would prohibit all covered entities from using or disclosing "individually identifiable health information" that is or has been transmitted or maintained electronically, except in certain circumstances. Unlike many medical records statutes, this requirement would not be limited to the record in which the information appears, but rather would apply to the information itself. Thus, any information that has been transmitted by fax, telephone, computer, electronic handheld device, or any other electronic means would be protected by the HIPAA standards thereafter in whatever form it might appear, including oral communications.

"Individually identifiable health information" refers to information that is created by or received from a healthcare provider, health plan, employer, or healthcare clearinghouse that relates to the past, present, or future physical or mental health or condition of an individual who is either identified directly or could reasonably be identified using the information.

"Covered entities" include healthcare providers, health plans, and healthcare clearinghouses. "Healthcare provider" refers to any provider of healthcare services as defined in relevant Medicare provisions and to any other person or organization that furnishes, bills, or is paid for healthcare services or supplies in the normal course of business. "Health plan" is defined broadly to include any individual or group plan that provides or pays the cost of medical care. "Healthcare clearinghouse" is defined as a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements. Billing companies are considered to be healthcare clearinghouses.

The proposed regulations also affect business partners of covered entities. A "business partner" is a person (or other entity) to whom the covered entity discloses protected health information to enable that person to carry out or assist with the performance of a function for the covered entity, or perform the function on behalf of the covered entity. Examples of business partners include independent contractors or other persons or entities receiving information for the purposes noted above, including lawyers, accountants, auditors, consultants, billing firms, and other covered entities.

The proposed rule specifies that covered entities may not disclose protected health information to business partners without "satisfactory assurances" that the business partner complies with relevant standards. Satisfactory assurances include certain contractual language that must be included in all contracts between the covered entities and business partners. Accordingly, covered entities would need to consider HIPAA provisions when drafting contracts with independent contractors.

Covered entities also would be required to take "reasonable steps" to ensure business partners are in compliance with the proposed regulations. Such steps are important, as a covered entity would be liable for the misdeeds of a business partner if it knew or should have known of those misdeeds. Although HIPAA only authorized HHS to regulate healthcare providers, health plans, and healthcare clearinghouses, by requiring covered entities to be responsible for compliance of their business partners, HHS effectively extended the requirement of privacy protection to entities that it was not authorized to regulate.

Penalties for Noncompliance
The proposal does not allow for a private cause of action to be taken directly; rather, aggrieved persons would be able to lodge a complaint with the covered entity and with HHS. If the complaint were made to HHS, the agency would have discretion to make a formal finding of noncompliance and use it as a basis either to initiate an action under HIPAA or to refer the matter to the Department of Justice for prosecution under HIPAA.

Under the proposed rule, noncompliance with the HIPAA privacy standards could be punishable by civil fines of up to $25,000 per calendar year for each violation and criminal penalties that would increase in severity based on intent (eg, whether the entity intended to sell the information or reap personal gain from the disclosure) and that could include a fine of up to $250,000 or a 10-year prison term, or both.
- DeMuro, Paul & Andrew Gantt; HIPAA privacy standards raise complex implementation issues; Healthcare Financial Management; Jan 2001; Vol. 55; Issue 1.
The article above contains foundational information. Articles below contain optional updates.

Personal Reflection Exercise #2
The preceding section contained information about the HIPAA privacy standards raising complex implementation issues.  Write three case study examples regarding how you might use the content of this section in your practice.

Ethics CEUs QUESTION 6
According to DeMuro, how did HIPAA extend the requirement of privacy protection to entities that it was not authorized to regulate? Record the letter of the correct answer the Ethics CEUs Answer Booklet

 
Others who bought this Confidentiality Course
also bought…

Scroll DownScroll UpCourse Listing Bottom Cap

Ethics CEUs Answer Booklet for this course | Confidentiality CEU Courses
Forward to Section 7
Back to Section 5
Table of Contents
Top

The article above contains foundational information. Articles below contain optional updates.
Two Day HIPAA Compliance for Small Healthcare Providers Seminar (Tempe, AZ, United States - September 28-29 ... - Business Wire (press release) - May 29, 2017

Two Day HIPAA Compliance for Small Healthcare Providers Seminar (Tempe, AZ, United States - September 28-29 ...
Business Wire (press release)
This seminar is specially designed for small healthcare providers that struggle with meeting HIPAA compliance requirements. Regardless of the size of a practice or the number of patients, the focus of this seminar is on making sure that organizations ...
Two Day Seminar: Why You Should be Worried about HIPAA (Burlingame, CA, United States - September 7-8, 2017 ...Digital Journal

all 3 news articles »
Mental Health Data Security Critical in HIPAA Compliance - HealthITSecurity.com - May 12, 2017

HealthITSecurity.com

Mental Health Data Security Critical in HIPAA Compliance
HealthITSecurity.com
Mental healthcare is becoming an increasingly critical national issue. Covered entities and business associates that specialize in mental health are required to adhere to HIPAA regulations for maintaining, transferring, or sharing mental health data.
Memorial Hermann agrees to $2.4M HIPAA settlementBecker's Hospital Review
Improper Press Release Leads to $2.4 Million SettlementThe National Law Review
United States: Failure to Ensure Vendor Safeguarded Protected Health Information Costs Small Health Care Provider ...Mondaq News Alerts (registration)
HHS.gov
all 11 news articles »
Three Ways to Tune Up Your HIPAA Compliance - Lexology (registration) - May 03, 2017

Three Ways to Tune Up Your HIPAA Compliance
Lexology (registration)
As the HHS Office for Civil Rights continues to issue press releases about HIPAA settlements and enforcement actions, now is a good time to re-examine HIPAA and data privacy compliance efforts. Here are three things covered entities and business ...

Potential HIPAA Pitfalls for Developers of Healthcare Apps - JD Supra (press release) - May 20, 2017

Potential HIPAA Pitfalls for Developers of Healthcare Apps
JD Supra (press release)
Many of the terms in a BAA rely on the underlying assumption that the business associate is already in compliance with HIPAA privacy and security regulations governing use and disclosure of PHI and other requirements, and that the business associate ...

Your Business Associates Hold Your HIPAA Compliance Future In ... - JD Supra (press release) - May 08, 2017

Your Business Associates Hold Your HIPAA Compliance Future In ...
JD Supra (press release)
Our partner Elizabeth Litten and I were recently featured again by our good friend Marla Durben Hirsch in her article in the April 2017 issue of Medical Practice ...
Settlement Highlights Need for HIPAA-Covered Entities to Have ...The National Law Review

all 2 news articles »

OnlineCEUcredit.com Login


Forget your Password Reset it!