|Sponsored by the HealthcareTrainingInstitute.org providing Quality Education since 1979|
HIPAA is the Health Insurance Portability and Accountability Act, and it was passed with broad bipartisan congressional support in 1996. At the time the legislation was enacted, most behavioral health and human service providers were focused on three important provisions of HIPAA:
Today, that little phrase makes the other two provisions of the act pale in significance when it comes to impact on the healthcare system over the next two to four years. Because of this, many experts have characterized HIPAA as one of the most far-reaching pieces of healthcare legislation ever enacted.
The "administrative simplification" features of HIPAA are really composed of two major parts:
Why all the concern? I believe that behavioral health and human service organizations will face the most scrutiny from consumers because:
There are requirements limiting the disclosure of psychotherapy notes that we believe will cause serious concern once the privacy and security regulations are finalized. We will have more to say on this in future issues.
Let's make one thing clear: If you are reading this article, you are probably covered by HIPAA. Overall, the legislation covers health plans, healthcare clearinghouses, healthcare providers and employers. The specific definitions of these entities are:
For those still doubtful about their HIPAA "exposure," let's look at the specific definitions of the act. It specifically states that the definition of a healthcare provider is:
Among other things, "healthcare" is defined as follows: Services or supplies furnished to an individual and related to the health of the individual. Healthcare includes the following: preventive, diagnostic, therapeutic, rehabilitative, maintenance or palliative care; counseling; service; or procedure with respect to the physical or mental condition, or functional status, of an individual or affecting the structure or function of the body.
If, after reading this and other material pertaining to HIPAA (see "Additional Resources," page 41), you believe that you are not covered by this legislation, I strongly suggest you obtain a competent legal opinion from an attorney with experience in healthcare, including interpretation of Medicare regulations and HIPAA itself.
In addition, HIPAA covers any "business partner" of a covered entity. A business partner includes a person to whom the covered entity discloses protected health information so that the person can carry out, assist with the performance of or perform on behalf of a function or activity for the covered entity. Examples include contractors or other persons who receive information for purposes noted above, including lawyers, accountants, auditors, consultants and billing firms.
Covered entities cannot disclose protected health information to business partners without satisfactory assurances that the partner complies with relevant HIPAA standards.
Step 1: Educate yourself, and promote awareness and education among senior management and the board of directors. HIPAA should be considered a serious compliance initiative, and every effective compliance program begins with a formal commitment from the governing body.
Because this compliance will require resources in the form of funding and staff time, senior management must be forthright in its approach to the compliance effort. (Web sites that offer downloadable presentation materials are listed in "Additional Resources.")
Step 2: Develop an organization project team for managing HIPAA compliance. Most organizations had some sort of compliance committee or team in place for Y2K preparations or have one for JCAHO, CARF or other accreditation and/or regulatory concerns. These teams can serve as a logical point to begin HIPAA compliance assessments and planning.
Step 3: Conduct an organizational risk assessment. This can be a complicated and time-consuming task. I suggest the following approach:
Step 4: Develop and implement policies and procedures to address identified risks. The most important point of this step is to implement "policies and procedures" revisions and additions. There might be adjustments to the overall project plan in this phase because:
Step 5: Develop and implement staff education and training. This is specifically required by the legislation, and is not a one-time event. Staff will need to be retrained when new technology and operational practices are developed and deployed. Organizations with high staff turnover will face the most cost and management burdens in keeping staff up to speed. Additionally, under the law, staff will have to be recertified in this at least once every three years.
Step 6: Provide continual auditing and monitoring of compliance activities. This goes beyond putting something on paper. In order to be judged compliant, an organization will have to document that it has followed those policies and procedures approved by senior management and the board of directors.
While there is some speculation about the fate of these regulations given the change in the White House, most industry observers believe that there is no legislative mandate for change in the coming years. Even in the event that the Bush administration rolls back HIPAA, market pressures, consumer concerns about privacy, payer pressures for standardized transaction formats and political pressures might restore the regulations. That is why it is important to:
Based on my understanding of the regulations and their potential cost impact to organizations, I believe that there might be a positive cost/benefit to compliance. I have completed development of some initial cost models based on various organization sizes, and my conclusions are:
While there is certainly variation in these estimates, my simulation modeling demonstrated that 90% of organizations should realize cost/ benefit value of at least $1.34. I believe that, overall, an organization can experience a positive long-term benefit in complying with HIPAA.
Reflection Exercise #3
Ethics CEU QUESTION 10
Others who bought this Confidentiality Course
Ethics CEU Answer Booklet for this course | Confidentiality
Forward to Section 11
Back to Section 9
Table of Contents
HIPAA Compliance for 2019: Enforcement Trends and Lessons Learned from 2018 JD SupraAfter a relatively slow first six months, 2018 turned into an active year for HIPAA enforcement, with the Department of Health and Human Services' (HHS) Office ...
5 HIPAA requirements healthcare cloud providers should meet TechTargetHealthcare organizations that have turned to the cloud must be even more diligent about securing patient data. Any cloud *service* provider that works with a ...
Security Assessment Certifies E-Complish's HIPAA Compliance - Press Release Digital JournalE-Complish, a provider of customized payment processing solutions, has once again been found compliant with standards set forth in the Security Rule ...
3 Reasons Why HIPAA Compliance & Employee Monitoring Should Go Hand-In-Hand IT Security CentralNow, more than ever, there is a need to establish appropriate security guidelines and controls for insiders at HIPAA governed institutions. Look for employee ...
CHIME to Congress: HIPAA isn't enough to ensure cybersecurity Becker's Hospital ReviewIn a March 1 letter to Congress about the relationship between technology and healthcare costs, the College of Healthcare Information Management Executives ...
CEU Continuing Education for
Social Worker CEUs, Counselor CEUs,Psychologist CEUs, MFT CEUs