Understanding HIPAA
Back to the HIPAA Compliance Solutions Page
Introduction
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was designed to establish standards and requirements for electronic transmission and storage of certain healthcare information. HIPAA compliance supports sound business practices and provides a framework for managing healthcare information while streamlining and improving service for providers, insurers and patients.
The main purposes of HIPAA are:
- Portability of healthcare coverage to different plans
- Uniform standards for security and privacy of electronically stored and transmitted healthcare data
- Improve efficiency of sharing health information among entities involved in healthcare
The Administrative Simplification transaction standards mandated by HIPAA will mean a significant increase in use, transfer and storage of electronic data - all of which must be kept private, secure and portable. The final privacy rules became effective in April 2001 and gave healthcare providers 24 months to become compliant. If medical practices do not have processes and procedures into place by April 2003, then the Department of Health and Human Services (DHHS) can impose civil penalties with hefty fines per violations. There may also be criminal penalties for security breaches committed knowingly and additional or more severe penalties for trying to conceal a breach.
As part of the security standards required by HIPAA, medical providers must have a contingency plan. Planning for emergencies includes regular backup of data, storage of backup media, critical facilities availability and disaster recovery procedures. Maintaining written policies and procedures that document compliance of HIPAA rules is also part of the security requirements.
Backup and Recovery Checklist
Contingency Plan in Place
- Alternate equipment has been identified and tested
- Critical processes have been identified
- Interim processing procedures have been established and tested
- Information systems insurance coverage is adequate
Backup Policy
- Procedures are documented
- Policies define backup frequency and retention periods
- In-house and offsite storage procedures for backup data and programs
Why is HIPAA good for patients, physicians, and healthcare entities?
HIPAA protects patient privacy. Under HIPAA, all patient-specific information is regarded as "protected health information" (PHI), including computer hard drives, diskettes, e-mail, backup tapes, voice recordings, and similar media as well as paper printouts and reports. The rules protect the data and individuals privacy independent of the operating platform and means of communication. They are equally applicable in a system that communicates over a local area network, a wide area network, or the Internet. In addition to privacy and security standards, HIPAA sets standards for electronic signatures, unique identifiers, and eight Electronic Data Interchange (EDI) code sets that define the format for electronically transmitted health information across Medicare, Medicaid, other Federal and private health programs.
HIPAA sets healthy physician practice business processes. Compliance reduces physician and provider liability for violating patient privacy while saving physician practices time and money. Use of HIPAA compliant secure messaging systems reduces time and cost spent on the phone, on postage, paper, and printing. For example, it is much more efficient and convenient to transmit prescriptions to a pharmacy or send medical records to another physician or insurance provider via secure email than it is to use paper based or mail systems. It is also more efficient to use secure email for routine correspondence than it is to reach busy medical staff on the phone during the middle of a clinical workday. Compliance with transaction standards affords real time access to eligibility, enrollment, and claims status information as well as improved cash flow.
Compliance Deadlines to Know
April 14, 2003: Privacy: Includes all covered entities
except small health plans.
April 16, 2003: Electronic Health Care Transaction and
Code Sets: All covered entities must have started software and systems testing.
October 16, 2003: Electronic Health Care Transaction and
Code Sets: All covered entities who filed for an extension and small health plans.
April 14, 2004: Privacy: Small health plans.
July 30, 2004: Employer Identifier Standard: All
covered entities except small health plans.
April 20, 2005: Security standards must be implemented.
Source: Centers for Medicare and Medicaid Services.
The above information is not intended to be an exhaustive list of all potential HIPAA security considerations and is not intended to constitute legal advice regarding governmental regulations.