Sponsored by the HealthcareTrainingInstitute.org providing Quality Education since 1979
Add to Shopping Cart

HIPAA: Setting Ethical Client Boundaries
3 CEUs HIPAA: Setting Ethical Client Boundaries

Section 6
HIPAA Privacy Standards Raise Complex
Implementation Issues

Question 6 | Ethics CEUs Answer Booklet | Table of Contents | Confidentiality CEU Courses
Social Worker CEUs, Psychologist CEs, Counselor CEUs, MFT CEUs

Under HIPAA, healthcare organizations must not only ensure the privacy of protected information, but also ensure that organizations with which they do business maintain this privacy.

In November 1999, under the mandate of the Health insurance Portability and Accountability Act (HIPAA) of 1996, HHS issued proposed standards to protect the privacy of electronically transmitted personal health information. With publication of the final standards due soon, healthcare organizations must prepare to implement new processes and information systems to comply with the HIPAA requirements. The privacy standards are intended to accomplish three broad objectives: define the circumstances in which protected health information may be used and disclosed, establish certain individual rights regarding protected health information, and require that administrative safeguards be adopted to ensure the privacy of protected health information. Among the required administrative safeguards are designation of a privacy officer, implementation of compliance training programs for all applicable staff, establishment of a complaint system, and implementation of appropriate sanctions for violations of privacy requirements.

Implementation of the health information privacy standards mandated by the Health Insurance Portability and Accountability Act (HIPAA) of 1996 has caused substantial concern to the healthcare industry. Among the most significant concerns are the significant costs many healthcare organizations will incur to meet the new requirements for safeguarding electronically transmitted personal health information. HHS received roughly 52,000 comments during the comment period for the proposed rule, which was issued November 3, 1999. The sheer volume of comments caused HHS to delay publication of the final rule, which at press time was anticipated to occur before year-end 2000.

Given the extent of concern about the proposed standards, HHS may make some modifications to them before issuing the final rule. Nonetheless, the final rule is not likely to differ drastically from the proposed rule, and the final standards are certain to have a profound impact on the healthcare industry. Healthcare financial managers therefore should begin immediately to prepare for implementation of the final standards. They should familiarize themselves with the issues to ease the complex planning process that will be necessary to ensure compliance with the new privacy standards.

The HIPAA Standards
In general, the proposed HIPAA privacy standards were designed to accomplish three broad objectives:

  • Define and limit the circumstances in which entities that are subject to the standards (covered entities) may use and disclose protected health information;
  • Establish certain individual rights regarding protected health information; and
  • Require covered entities to adopt administrative safeguards to protect the confidentiality and privacy of protected health information.

As currently proposed, the HIPAA privacy standards would prohibit all covered entities from using or disclosing "individually identifiable health information" that is or has been transmitted or maintained electronically, except in certain circumstances. Unlike many medical records statutes, this requirement would not be limited to the record in which the information appears, but rather would apply to the information itself. Thus, any information that has been transmitted by fax, telephone, computer, electronic handheld device, or any other electronic means would be protected by the HIPAA standards thereafter in whatever form it might appear, including oral communications.

"Individually identifiable health information" refers to information that is created by or received from a healthcare provider, health plan, employer, or healthcare clearinghouse that relates to the past, present, or future physical or mental health or condition of an individual who is either identified directly or could reasonably be identified using the information.

"Covered entities" include healthcare providers, health plans, and healthcare clearinghouses. "Healthcare provider" refers to any provider of healthcare services as defined in relevant Medicare provisions and to any other person or organization that furnishes, bills, or is paid for healthcare services or supplies in the normal course of business. "Health plan" is defined broadly to include any individual or group plan that provides or pays the cost of medical care. "Healthcare clearinghouse" is defined as a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements. Billing companies are considered to be healthcare clearinghouses.

The proposed regulations also affect business partners of covered entities. A "business partner" is a person (or other entity) to whom the covered entity discloses protected health information to enable that person to carry out or assist with the performance of a function for the covered entity, or perform the function on behalf of the covered entity. Examples of business partners include independent contractors or other persons or entities receiving information for the purposes noted above, including lawyers, accountants, auditors, consultants, billing firms, and other covered entities.

The proposed rule specifies that covered entities may not disclose protected health information to business partners without "satisfactory assurances" that the business partner complies with relevant standards. Satisfactory assurances include certain contractual language that must be included in all contracts between the covered entities and business partners. Accordingly, covered entities would need to consider HIPAA provisions when drafting contracts with independent contractors.

Covered entities also would be required to take "reasonable steps" to ensure business partners are in compliance with the proposed regulations. Such steps are important, as a covered entity would be liable for the misdeeds of a business partner if it knew or should have known of those misdeeds. Although HIPAA only authorized HHS to regulate healthcare providers, health plans, and healthcare clearinghouses, by requiring covered entities to be responsible for compliance of their business partners, HHS effectively extended the requirement of privacy protection to entities that it was not authorized to regulate.

Penalties for Noncompliance
The proposal does not allow for a private cause of action to be taken directly; rather, aggrieved persons would be able to lodge a complaint with the covered entity and with HHS. If the complaint were made to HHS, the agency would have discretion to make a formal finding of noncompliance and use it as a basis either to initiate an action under HIPAA or to refer the matter to the Department of Justice for prosecution under HIPAA.

Under the proposed rule, noncompliance with the HIPAA privacy standards could be punishable by civil fines of up to $25,000 per calendar year for each violation and criminal penalties that would increase in severity based on intent (eg, whether the entity intended to sell the information or reap personal gain from the disclosure) and that could include a fine of up to $250,000 or a 10-year prison term, or both.
- DeMuro, Paul & Andrew Gantt; HIPAA privacy standards raise complex implementation issues; Healthcare Financial Management; Jan 2001; Vol. 55; Issue 1.
The article above contains foundational information. Articles below contain optional updates.

Personal Reflection Exercise #2
The preceding section contained information about the HIPAA privacy standards raising complex implementation issues.  Write three case study examples regarding how you might use the content of this section in your practice.

Ethics CEUs QUESTION 6
According to DeMuro, how did HIPAA extend the requirement of privacy protection to entities that it was not authorized to regulate? Record the letter of the correct answer the Ethics CEUs Answer Booklet

 
Others who bought this Confidentiality Course
also bought…

Scroll DownScroll UpCourse Listing Bottom Cap

Ethics CEUs Answer Booklet for this course | Confidentiality CEU Courses
Forward to Section 7
Back to Section 5
Table of Contents
Top

The article above contains foundational information. Articles below contain optional updates.
This RSS feed URL is deprecated - November 24, 2017
This RSS feed URL is deprecated, please update. New URLs can be found in the footers at https://news.google.com/news
Guide to HIPAA Compliance for Containers - ADT Magazine - November 14, 2017

Guide to HIPAA Compliance for Containers
ADT Magazine
Twistlock's Guide to HIPAA Compliance for Containers helps ensure that anyone who creates, receives, maintains, or transmits electronic personal health information (ePHI) is in compliance with the HIPAA Security Rule for containerized workloads.

and more »
MegaPath Successfully Completes 2017 HIPAA Compliance Audit - Business Wire (press release) - November 01, 2017

MegaPath Successfully Completes 2017 HIPAA Compliance Audit
Business Wire (press release)
PLEASANTON, Calif.--(BUSINESS WIRE)--MegaPath, a leading provider of voice, data, security and cloud services in North America, today announced that its business communications services, including Hosted Voice, Contact Center and Unified ...

and more »
HIT Think Why making videos in healthcare facilities could pose a HIPAA risk - Health Data Management - November 22, 2017

Health Data Management

HIT Think Why making videos in healthcare facilities could pose a HIPAA risk
Health Data Management
The growing popularity and ease of video recordings make awareness of the interaction between video and HIPAA essential. As with so many other areas of HIPAA compliance, advance knowledge can help avoid misunderstandings and negative ...

AHIMA Notes Cybersecurity Prep, HIPAA Compliance as Focus Areas - HealthITSecurity.com - November 15, 2017

HealthITSecurity.com

AHIMA Notes Cybersecurity Prep, HIPAA Compliance as Focus Areas
HealthITSecurity.com
November 15, 2017 - All healthcare organizations can work on improving their privacy and security by focusing on their cybersecurity preparation, HIPAA compliance, and staying people-oriented, according to a recent blog post on the Journal of AHIMA.

OnlineCEUcredit.com Login


Forget your Password Reset it!