Print Page | Contact Us | Your Cart | Sign In | Register
Latest News & Advocacy: Community News

Are you compliant with the HIPAA Final Rule Regulations effective 9/23/2013?

Sunday, January 12, 2014   (0 Comments)
Posted by: Brook Schales
Share |

Are you compliant with the HIPAA Final Rule Regulations effective 9/23/2013?
Amy King, Director of Quality & Provider Relations

By the time you read this article, you should be aware of the Federal Regulation changes that apply to "Covered Entities.” These changes strengthen the privacy and security protections for health information established under the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Here is a brief summary of the Final Rule:

  • Expands many of the requirements to Business Associates of the Covered Entities that receive protected health information, such as contractors and subcontractors. Business Associates have up to one year after the 180-day compliance date to modify contracts to comply with the rule.
  • Penalties are increased for non-compliance based on the level of negligence with a maximum penalty of $1.5 million per violation.
  • Breach Notification requirements are strengthened by clarifying when breaches of unsecured health information must be reported to the Department of Health and Human Services.
  • Individual rights are expanded in important ways.
  • Patients can ask for a copy of their electronic medical record in an electronic form.
  • When individuals pay by cash they can instruct their provider not to share information about their treatment with their health plan.
  • Sets new limits on how information is used and disclosed for marketing and fundraising purposes and prohibits the sale of an individuals’ health information without their permission.
  • Reduces burden by streamlining individuals’ ability to authorize the use of their health information for research purposes.
  • The rule makes it easier for parents and others to give permission to share proof of a child’s immunization with a school.
  • Genetic information is protected under the HIPAA Privacy Rule and prohibits most health plans from using or disclosing genetic information for underwriting purposes.

Does HIPAA apply to my office?

If not done so already, you are highly encouraged to perform your due diligence in determining your answer. According to HIPAA, as outlined in the Code of Federal Regulations 45 CFR §160.103, a "health care provider" that conducts certain transactions electronically is considered a "covered entity" and must comply with HIPAA. A transaction is defined as "the transmission of information between two parties to carry out financial or administrative activities related to health care." Common transactions include communications regarding billing, payment, coordination of benefits, enrollment and disenrollment, and eligibility.

I utilize a billing service; does that mean my office does not have to comply with HIPAA?

No. A "health care provider" as described above, includes "any other person or organization who furnishes, bills, or is paid for health care in the normal course of business." This means health care providers that conduct any standard transaction electronically, or use a third party to do so (like a billing entity) are subject to the administrative simplification rules. Standard transactions include communications regarding billing, payment, coordination of benefits, enrollment and disenrollment, and eligibility.

What is Administrative Simplification?

This is a provision within HIPAA that is intended to reduce health care costs through electronic data interchange (EDI), standardizing electronic processing and improving the communication within the health care industry. This provision addresses electronic transaction standards, privacy and security standards as well as unique identifiers (like NPI numbers).

Does HIPAA apply only to electronic data?

No, not if you are considered a "covered entity" under HIPAA. Once a "health care provider" has conducted a covered transaction electronically, then the provider is considered a covered entity and the HIPAA administrative simplification requirements apply to all activities of the provider. The Privacy standards apply to "individually identifiable health information" transmitted or maintained in any form, which includes oral, written, electronic or otherwise. The Security standards apply specifically to electronic PHI.

What information is protected?

Administrative Simplification generally applies to Protected Health Information, commonly referred to as PHI. PHI is information from which it is possible to identify an individual and that relates to the provision or payment of past, present or future medical care or condition. It's important to know that information can be PHI even without medical references, such as diagnosis or treatment information. Examples include demographic information such as name, address, phone number and social security number.

In summary, it is your responsibility, as providers of health care, to assure your office has safeguards in place to assure the privacy and security of health information of the patients you serve. This article in no way serves as legal advice. As with any State or Federal regulation, your due diligence in assessing your compliance is critical.

Amy King Bio

Ms. King currently directs CHP’s Provider Relations and Quality and oversees all credentialing/recredentialing, quality management, and member services ensuring top‐level customer service. A graduate of Oregon State University with a Bachelor’s Degree in Communications, she also earned an Advanced Studies Certificate in Human Resources Management from San Diego State University.


Quick Links

Home About Join Contact

Contact

OREGON ASSOCIATION OF NATUROPATHIC PHYSICIANS
PO Box 5876
Portland, OR 97228

Phone: 503-262-8586