What
is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a federal law that requires compliance for any health plan, clearinghouse, or provider that creates, sends, or receives protected health information in an electronic format. Local public health departments across North Carolina are in various stages of their compliance efforts and some are just beginning. Due to the need for guidance and as a result of a collaborative effort between the NC Association of Local Health Directors and the NC Department of Health and Human Services, Division of Public Health, consultant services are being provided to assist local public health departments in North Carolina in their compliance efforts.
http://cms.hhs.gov/hipaa/
http://aspe.hhs.gov/admnsimp/pl104191.htm
http://www.sph.unc.edu/hipaa/consultant.htm
Background
( From: http://www.medicalprivacy.unc.edu/background.htm)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.
L. No. 104-191, made significant changes in several areas related to health
care and health insurance. The provisions of the statute that received the most
attention at the time of enactment related to the creation of new health insurance
protections for workers who changed jobs and the modification of certain health
insurance fraud and abuse enforcement tools. For example, HIPAA applied new
restrictions to health insurers regarding conditioning benefits on an insured
individual's preexisting conditions. Local governments, as employers, have been
complying with many of these health insurance-related requirements for several
years.
The subtitle of HIPAA that we are focusing on right now is entitled "Administrative
Simplification," 42 U.S.C. § 1171 et seq. This subtitle includes several
different provisions that require the U.S. Department of Health and Human Services
(DHHS) to publish regulations relating to electronic data interchange of health
information and data protection. DHHS has issued two Administrative Simplification
regulations in final form (Transactions and Code Sets ; Privacy ) and several
more are in process (Security, Provider Identifier, Plan Identifier, Employer
Identifier, Claims Attachments and Enforcement).
Electronic Data Interchange (EDI) Regulations
Prior to HIPAA, the health care industry used a wide variety of different electronic formats to exchange information - primarily for billing purposes. This variety resulted in inefficiencies and increased administrative burden. The Administrative Simplification provisions of HIPAA are intended to standardize many of these electronic transactions so that health care providers and health plans will all "speak the same language," thereby reducing administrative costs.
HIPAA directs DHHS to develop several different regulations in order to achieve
this standardization.
• Transactions and code sets: The transactions and code sets regulations
are at the heart of Administrative Simplification. These regulations require
health plans, health care providers and health care clearinghouses to use standardized
formats for several different types of administrative and financial health care
transactions and communications. For example, the transactions regulation identifies
standard formats for health claims and health plan eligibility verifications
and enrollment. The code sets regulation identifies standard sets of codes that
are used to communicate medical information, such as diagnoses or medical procedures.
These regulations have been finalized and covered entities must either come
into compliance by October 2002 or file a compliance plan with DHHS to obtain
a one-year extension (until October 2003).
• Identifiers: HIPAA requires the development of several different unique
identifiers - specifically for health plans, health care providers, employers
and individuals. The individual identifier has been put "on hold"
indefinitely and is not likely to be developed anytime in the near future. The
provider and employer identifier regulations were published in proposed form
in 1998 and are expected to be finalized in the next year or two. The health
plan identifier regulation is still under development.
• Claims attachments: When a health plan requests additional information
from a provider in support of a claim for benefits, the provider may submit
an "attachment" to the claim that includes specific information about
the patient's condition or treatment. A regulation specifically governing health
information in claims attachment is still under development.
http://cms.hhs.gov/hipaa/hipaa2/default.asp
Data
Protection Regulations
Recognizing that the
standardization of health care transactions will make it faster and easier to
share personal health information, Congress included provisions in HIPAA to
protect the privacy and security of that health information. Specifically, HIPAA
directs DHHS to develop two separate regulations - one relating to privacy and
one relating to security.
• Privacy: The
privacy regulation provides a comprehensive framework of rules for the protection
of identifiable health information in any form or medium (including paper, electronic
and oral). A covered entity may only use and disclose health information as
provided in the regulation and subject to all of the limitations and requirements
specified in the regulation. The regulation also creates a series of new individual
rights that all patients will have with respect to their health information
- such as the right to a notice of privacy practices, the right to inspect,
copy and amend health information and the right to a disclosure history. The
privacy regulation has been finalized and most covered entities are required
to comply with all of the requirements by April 2003. Small health plans must
be in compliance by April 2004.
• Security: Security means ensuring that confidential information is not disclosed inappropriately, that the integrity of the information is maintained and that the information is available when necessary. The security regulation, therefore, will require covered entities to implement a series of administrative, technical and physical safeguards for health information. The regulation will also include a new standardized electronic signature to be used with HIPAA transactions. The security regulation has been finalized and most covered entities are required to comply with the requirements by April 2005. Small health plans must be in compliance by April 2006.
AMC’s HIPAA workgroup
executive summary
http://www.aamc.org/members/gir/gasp/hipaaexecsummary.pdf
What are the issues about handling protected health information?
Excerpt from: Nov 25 2002 letter to Tommy Thompson from the NCVHS (National
Committee on Vital and Health statistics)
http://ncvhs.hhs.gov/021125lt.htm
Fears surrounding HIPAA also featured prominently in the testimony. Witnesses
were very concerned about the possibility of overzealous enforcement by OCR
as well as private lawsuits, both of which were viewed as costly to defend.
Other witnesses reported that the fear of violating HIPAA already has resulted
in negative health outcomes, including providers=refusing to share patient medical
information that would be helpful in treating another patient and a decline
in mandatory or permissive reporting of essential health data to public health
agencies, tumor registries, and other entities.
Another important part of the compliance picture is the need for education and training. Millions of health care workers will need to be trained in the next few months, but there is a dire shortage of expertise, materials, and funding. Overwhelmingly, witnesses said that generic training will not work; to be successful it must be customized by industry, entity, and job description. In addition, consumers have received virtually no information about HIPAA, and it will be difficult for them to understand the basis or context for the myriad notifications, acknowledgments, authorizations, and other forms with which they will soon be presented. Public education is complicated by consumers' varying levels of education, cognition, and language proficiency.
http://www.medicalprivacy.unc.edu/index.html
Office of Civil Rights - This office is part of HHS. Its HIPPA responsibilities include oversight of the privacy requirements.
From: http://aspe.hhs.gov/sp/nhii/hixs.htm
Under today’s announcement, as part of new systems development efforts, all federal agencies will:
• Adopt Health Level 7 (HL7) messaging standards to ensure that each federal
agency can share information that will improve coordinated care for patients
such as entries of orders, scheduling appointments and tests and better coordination
of the admittance, discharge and transfer of patients.
• Adopt certain National Council on Prescription Drug Programs (NCDCP)
standards for ordering drugs from retail pharmacies to standardize information
between health care providers and the pharmacies. These standards already have
been adopted under the Health Insurance Portability and Accountability Act (HIPAA)
of 1996, and today’s announcement will make sure that parts of the three
federal departments that aren’t covered by HIPAA will also use the same
standards.
• Adopt the Institute of Electrical and Electronics Engineers 1073 (IEEE1073)
series of standards that allow for health care providers to plug medical devices
into information and computer systems that allow health care providers to monitor
information from an ICU or through telehealth services on Indian reservations,
and in other circumstances.
• Adopt Digital Imaging Communications in Medicine (DICOM) standards that
enable images and associated diagnostic information to be retrieved and transferred
from various manufacturers’ devices as well as medical staff workstations.
• Adopt laboratory Logical Observation Identifier Name Codes (LOINC) to
standardize the electronic exchange of clinical laboratory results.
Myths about HIPAA
Does the HIPAA Privacy Rule create a government database with all individuals' personal health information?
No. The Privacy Rule does not create such a government database or require a
physician or any other covered entity to send medical information to the Federal
government for a government database or similar operation.
What does the HIPAA Privacy Rule do?
Most health plans and health care providers that are covered by the new Rule
must comply with the new requirements by April 14, 2003.
The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information.
- It gives patients more control over their health information.
- It sets boundaries on the use and release of health records.
- It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
- It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.
- And it strikes a balance when public responsibility supports disclosure of some forms of data – for example, to protect public health.
For patients – it means being able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.
- It enables patients to find out how their information may be used, and about certain disclosures of their information that have been made.
- It generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
- It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.
- It empowers individuals
to control certain uses and disclosures of their health information.