Are you compliant with the HIPAA Final Rule Regulations effective 9/23/2013?
Sunday, January 12, 2014
Posted by: Brook Schales
Are you compliant with the HIPAA Final
Rule Regulations effective 9/23/2013?
Director of Quality & Provider Relations
By the time you read this article, you
should be aware of the Federal Regulation changes that apply to "Covered Entities.” These changes strengthen the privacy and
security protections for health information established under the Health
Insurance Portability and Accountability Act of 1996 (HIPAA).
Here is a brief summary of the Final
- Expands many of the requirements
to Business Associates of the Covered Entities that receive protected health
information, such as contractors and subcontractors. Business Associates have
up to one year after the 180-day compliance date to modify contracts to comply
with the rule.
- Penalties are
increased for non-compliance based on the level of negligence with a maximum
penalty of $1.5 million per violation.
- Breach Notification
requirements are strengthened by clarifying when breaches of unsecured health
information must be reported to the Department of Health and Human Services.
- Individual rights are
expanded in important ways.
- Patients can ask for a copy of their electronic medical
record in an electronic form.
- When individuals pay by cash they can instruct their
provider not to share information about their treatment with their health plan.
- Sets new limits on
how information is used and disclosed for marketing and fundraising purposes
and prohibits the sale of an individuals’ health information without their
- Reduces burden by
streamlining individuals’ ability to authorize the use of their health
information for research purposes.
- The rule makes it
easier for parents and others to give permission to share proof of a child’s
immunization with a school.
- Genetic information
is protected under the HIPAA Privacy Rule and prohibits most health plans from
using or disclosing genetic information for underwriting purposes.
Does HIPAA apply to my office?
If not done so already, you are highly
encouraged to perform your due diligence in determining your answer. According to HIPAA, as outlined in the Code
of Federal Regulations 45 CFR §160.103, a
"health care provider" that conducts certain transactions
electronically is considered a "covered entity" and must comply with
HIPAA. A transaction is defined as
"the transmission of information between two
parties to carry out financial or administrative activities related to health
care." Common transactions include
communications regarding billing, payment, coordination of
benefits, enrollment and disenrollment, and eligibility.
I utilize a billing service;
does that mean my office does not have to comply with HIPAA?
No. A "health care provider" as
described above, includes "any other person or organization who furnishes,
bills, or is paid for health care in the normal course of business." This means health care providers that
conduct any standard transaction electronically, or use a third party to do so
(like a billing entity) are subject to the administrative simplification
rules. Standard transactions include
communications regarding billing, payment, coordination of benefits, enrollment
and disenrollment, and eligibility.
What is Administrative Simplification?
This is a provision within HIPAA that
is intended to reduce health care costs through electronic data interchange
(EDI), standardizing electronic processing and improving the communication
within the health care industry. This
provision addresses electronic transaction standards, privacy and security
standards as well as unique identifiers (like NPI numbers).
Does HIPAA apply only to electronic
No, not if you are considered a
"covered entity" under HIPAA. Once a
"health care provider" has conducted a covered transaction
electronically, then the provider is considered a covered entity and the HIPAA
administrative simplification requirements apply to all activities of the
provider. The Privacy standards
apply to "individually identifiable health information" transmitted
or maintained in any form, which includes oral, written, electronic or
otherwise. The Security standards apply
specifically to electronic PHI.
What information is protected?
Administrative Simplification generally
applies to Protected Health Information, commonly referred to as PHI. PHI is
information from which it is possible to identify an individual and that
relates to the provision or payment of past, present or future medical care or
condition. It's important to know that information can be PHI even without
medical references, such as diagnosis or treatment information. Examples include demographic information such
as name, address, phone number and social security number.
it is your responsibility, as providers of health care, to assure your office
has safeguards in place to assure the privacy and security of health
information of the patients you serve. This
article in no way serves as legal advice. As with any State or Federal
regulation, your due diligence in
assessing your compliance is critical.
Amy King Bio
currently directs CHP’s Provider Relations and Quality and oversees all
credentialing/recredentialing, quality management, and member services ensuring
top‐level customer service. A
graduate of Oregon State University with a Bachelor’s Degree in Communications,
she also earned an Advanced Studies Certificate in Human Resources Management
from San Diego State University.