Overview & Update
is HIPAA? The Health Insurance Portability and Accountability Act of 1996
was the result of efforts by the Clinton Administration and congressional healthcare
reform proponents to reform healthcare. The goals and objectives of this legislation
are to streamline industry inefficiencies, reduce paperwork, make it easier to
detect and prosecute fraud and abuse, and enable workers of all professions to
change jobs, even if they (or family members) had pre-existing medical conditions.
regulations are organized into three primary areas:
Regulations have been finalized which set forth general rules for the uses
and disclosures of individually identifiable health information by providers and
Administrative Simplification: Regulations have been enacted which create
uniform standards and requirements for the electronic transmission of health information.
(Electronic Date Interachange)
Security: Regulations have been finalized which require providers and others
who maintain health information to maintain the security and integrity of individually
identifiable health information.
Who Must Comply?Regardless of whether you
are the sponsor of a group health plan, HIPAA applies to you as an employer, if
you use protected health information to make employment decisions such as hiring,
administering FMLA (Family Medical Leave Act) leave, ADA (Americans with Disabilities
Act) accommodations, conducting drug screening and conducting fitness-for-duty
exams. Youll need to comply as soon as possible to protect yourself from
Privacy April 14, 2003
The Privacy rule requires covered entities to implement formal
policies, procedures and best practices regarding who has the
right to access patient identifiable health information.
The Privacy rule requires covered entities to implement formal
policies, procedures and best practices regarding who has the
right to access patient identifiable health information. The rule
covers all individually identifiable health information in the
past, present and future, regardless of the form including
oral, written and electronic. The Privacy portion of HIPAA includes
numerous requirements which protect the patient's rights, including:
- limit the use and release of private health information
without prior consent
- give patients new rights to access their medical records
and to know who else has accessed them
- restrict most disclosure of health information to the
minimum needed for the intended purpose
Who must Comply? The Privacy regulations have been finalized
and are due by all covered entities April 14, 2003, with the following
exception: Small Health Plans (A Group or individual Health plan
with less than 50 participants) have until April 14, 2004.
Data Interchange (EDI) Administrative Simplification October 15,
HIPAA requires a common format and data structure be used
when exchanging specific transaction types, code sets and Identifiers
electronically. Status: Finalized Compliance Date: October 15,
What is it? Many healthcare providers and health plans
already use Electronic Data Interchange (EDI) when exchanging
data with their business partners. The DHHS estimates there are
over 400 formats currently being used, making standardization
almost impossible. In order to perform EDI efficiently, HIPAA
requires a common format and data structure be used when exchanging
specific transaction types, code sets and Identifiers electronically.
Who must Comply?
--If you currently transmit identifiable patient information electronically,
you must comply with the HIPAA regulations. If you are not EDI
compliant, you should have filed for an extension Oct. 15, 2002.
--If you filed for the extension, you must be in compliance with
EDI by Oct. 16, 2003.
--If you did not file, you are expected to be compliant with EDI
today and could be subject to fines.
Health plans are required to have the capability to send and receive
all HIPAA transactions now or by Oct. 16, 2003, if you filed for
Medicare will not accept paper claims after Oct. 16, 2003, with
the following exception: If you have less than 10 employees, you
are allowed an exception.
Other payers will follow suit and require electronic transmission
in the near future.
Security April 20, 2005
The Security rule requires covered entities
that maintain or transmit Patient Identifiable Data to develop and implement formal
policies, procedures and best practices that will safeguard the integrity, confidentiality,
and availability of its electronic data.
Hipaa Regulations: Security Status:
Finalized Compliance Date: April 20, 2005
What is it? The Security
rule requires covered entities that maintain or transmit Patient Identifiable
Data to develop and implement formal policies, procedures and best practices that
will safeguard the integrity, confidentiality, and availability of its electronic
data. The Security Standards include numerous requirements under the following
--Administrative procedures to guard data integrity, confidentiality,
and availability. Documented, formal practices that will protect data and manage
the conduct of personnel with regards to patient data. This includes items such
as Business Agreements, Chain of Trust Agreements and Contingency Plans.
Physical safeguards to guard data integrity, confidentiality, and availability.
Protection of physical computer systems and related buildings and equipment from
fire, environmental hazards or intrusion. This covers the use of locks, keys,
and administrative measures used to control access to computer systems and facilities.
--Technical security services to guard data integrity, confidentiality, and
availability patient data. This requirement includes access control, audit controls
and system requirements that must be put in place to protect information and to
control individual access to information.
--Technical security mechanisms
- processes that are put in place to guard against unauthorized access to data
that is transmitted over a communications network. This covers items such as alarms,
audit trails and access controls over the network.
Resources Government Sponsored Sites
The HHS site has all the government regulations, Questions & Answers,
and meeting minutes available to download.
The HHS web site on HIPAA happenings; including a place to sign up for
a free government e-mail newsletter on HIPAA news.
This URL from Guide to Healtcare Schools allows an organization to determine through a
self-administered short questionnaire if they are a covered entity or not.
HHS released this useful summary fact sheet entitled Protecting
the Privacy of Patients Health Information. Protections
and enforcement rules are explained in the document.
Resources Private Sector Sponsored Sites
This is a long-standing private sector organization dedicated
to fostering widespread support for the adoption of electronic
commerce within healthcare. They have led the effort in advising
HHS in implementing HIPAA and other electronic standards. This
site gives access to background papers, industry white papers,
and links to many other HIPAA sites.
AFEHCT serves as a healthcare industry association dedicated to
supporting the use of EDI and improving and reducing the cost
of health care. The AFECHT site offers access to the papers coming
out of its various HIPAA related work groups as well as links
to member sites and a "library" of HIPAA related papers.
General information on health law, not limited to HIPAA issues.
The Current in Health Law section includes ways to sign-up for
the Health Law Highlights -- free, weekly news update.
Association of developers of electronic health records; the intent is
to promote the development and acceptance of Electronic Medical Record (EMR).
Sense Privacy Practice Procedures to review with your staff:
Patient information of any nature is confidential. This includes information from
or about medical records, tests results, appointments, and referrals. Even a patients
presence at our medical practice offices should not be disclosed
2. Staff must not discuss patient information with anyone who
is not involved in the patients care and entitled to receive
such information. Do not discuss patient information with your
family members, friends, in a social conversations, etc. Such
breaches of privacy/ confidentiality may subject employees to
disciplinary action, including termination.
3. When in doubt, do not disclose patient information until
you ask your supervisor or the Privacy Officer for for Clarification (emergency
situations may be an exception).
4. As a general rule, patient information may be disclosed when
specifically authorized by the patient; when it is necessary for
purposes of treatment, payment, or health operations; or when
required by law. But there are rules that apply to each
disclosure for purposes of treatment, payment and health operations,
and patient authorizations.
5. Be aware of
confidentiality when answering patients questions, providing test results, making
appointments making referrals, checking insurance eligibility, obtaining prior
6. As general rule, an adult patients information cannot
be released to a patients spouse or other family member
without the patients authorization. For example, if a patients
husband calls asking for the results of his wifes pregnancy
test - or other test results our policy is to tell them
that we are sorry, but we cannot release information without
the patient's specific, written authorization.
7. Patient information
regarding an adult child should not be disclosed to a parent without the patients
8. For minors, patients information cannot be released
to third parties without the consent of the parent or the patients legal
9. Employees should not allow medical information on computer
monitors to be visible to patients.
10. Backups of computer files will
be maintained by the Privacy Officer and one other designated individual in a
11. Do not disclosure your passwords to anyone, including other
employees. Passwords will be assigned by the Privacy Officer,
changed at appropriate intervals, deleted when an employee leaves
or is assigned to another position, reissued when there is a concern
that passwords are not secure, etc.
Keep patient charts, encounter forms, and other documents face down. Never leave
such documents where unauthorized persons can see or take them.
special receptacles marked Patient Information to Be Shredded when disposing of
any written material that may contain protected patient information.
14. Place medical records, test results, etc., in slots in exam
room doors so that they face the door or wall. Speak softly to
others in person or over the phone. Try to avoid stating the patients
name whenever possible.
should change the sign-in sheet to a new page at least hourly. Do not allow or
require patients to write the reason for the visit on sign-in sheet. The fact
that an individual is a patient at this medical practice is confidential information.
Whenever possible, speak to patients about their medical information in private
offices and exam rooms. Do not discuss the patients condition, reason for
the visit, and the like in the waiting area or in front of those not involved
in their care.
17. When making an appointment, ask the patient where they
may be reached to confirm the appointment, ask questions, or for other purposes.
18. If you call the patient to confirm an appointment, provide
test results, etc., and they are not available, simply leave a
message stating for them to call you. If you get an answering
machine (voice mail), simply leave a message with your name and
19. Unless you are sure we have the patients permission
to release information, do not do so. Unless you have the need
to know, do not ask patients why they are here, what problems
they are having, and the like.
20. If you pull medical records, file information, etc., do not
read any more information than necessary to complete the task
at hand. For example, if you are asked to pull a patients
chart, you do not need any more information from the chart than
the patients name and medical record number. If you are
asked to find certain information in the chart, do not read any
more information than necessary.
21. Information about employees that receive care will
be considered confidential just as if they were a patient who is not employed
by this medical practice.
22. When you see patients outside the office,
do not ask specific questions from your knowledge of their patient information
unless you can do so privately and it is appropriate.