Class 10 – Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)
Wrongful disclosure of individually identifiable health information penalties include a health care official can be fined up to $5,000 and imprisoned up to one year and if wrongful disclosure is committed under false pretenses the potential fines are $100,000 and imprisonment of up to five years.
The federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to health care providers engaging in electronic transactions, health plans and health care clearinghouses (basically an entity that processes information for health plans or providers). Types of transactions affected by HIPAA include health claims, encounter data and payment and remittance advice.
HIPAA involves administrative simplification, privacy regulations and security standards.
For providers the simplification of administrative tasks in health care by requiring all parties in the health care system to adopt a standard electronic format such as identical claims forms, medical records, lab reports and other patient care and insurance documents should eventually result in cost savings. Departments handling medical records, member/patient accounting and enrollment, personnel and information technology most likely will be impacted by the administrative simplification.
For hospitals the standardization of administrative forms should eventually save money after the initial front costs on implementing transaction standards, on administrative costs considering that many hospitals have differing forms and requirements from insurance companies, along with different Medicaid pans and multiple Medicare intermediaries.
Arthur Anderson projects that the benefits of electronic standardization will start to be noticed three years after the regulations have been implemented.
The real costs of HIPAA along with much controversy is in the privacy regulations and security standards. The fines of $100 per violation with total penalty not to exceed $25,000 is not a major threat to enforce the privacy and security regulations for many health care officials as compared to the penalties involved for wrongful disclosure of individually identifiable health information. These penalties include a health care official can be fined up to $5,000 and imprisoned up to one year and if the wrongful disclosure is committed under false pretenses the potential fines are $100,000 and imprisonment of up to five years.
The new law gives patients the right to: receive written notice of information practices from health health plans, request amendment or correction of protected health information that is inaccurate, receive an accounting of the instances where protected health information has been disclosed by a covered entity.
What HIPAA basically means to providers is that heath care providers will “need to obtain patients’ signed authorizations for all previously unauthorized uses of their data. Providers will need to tell patients exactly how their information is being used, including disclosure for peer review and a variety of essential activities. However, the need for patient data in emergencies will supercede the need for authorization.“
Covered entities will be required to maintain documentation of policies and procedures and have administrative systems in placeto: designate a privacy official, provide privacy training to members, implement safeguards to protect health information from intentional or accidental misuse, provide means for individuals to lodge complaints, and develop a system of sanctions.
According to the article, Gerald Hinkley of the law firm of Davis Wright Tremaine LLP of San Francisco spoke about legal aspects of HIPAA at the recent Symposium on E-Health Strategies for Physicians, Hospitals & Integrated Delivery Systems in Scottsdale, Arizona, recommends that providers adopt security management practices and procedures, such as: security testing policies and procedures like virus checkers, policies for installing and maintaining hardware and software, inventory of computer assets, locks and keys on computer systems, access controls, callback procedures to identify users, passwords, authentication procedures to verify the identity of system users, automatic logoff for equipment after periods of inactivity, and recording of audit trails.
HIPAA will no longer allow universal access to providers of patient records of any patient the provider chooses. In the past even billing clerks at hospitals were able to see everything related to a patient. A concern to many hospitals is the “minimal necessary disclosure” of patient information under HIPAA. For example, a billing clerk may need to know that a patient underwent an HIV test, but the billing clerk does not need to know the results of the test.
Some hospitals, mistakenly, may try to claim that if information is in paper form then it is not subject to HIPAA. This is a mistake, because all electronically stored information and its progeny are subject to HIPAA. This means that if data is printed out, the printout is also subject to HIPAA. Also, if a paper document is eventually entered into a computer, that original piece of paper is covered gy the HIPAA regulations. Another concern for hospitals is that HIPAA is coming at a time when many hospitals have little capital to invest in technologies and electronic systems.
Accordingly, privacy regulations by Health and Human Services (HHS) as mandated by HIPAA applies to providers, health plans and healthcare clearing houses that transmit health information in electronic form. Healthcare organizations must develop internal controls, training, and reporting that complies with HIPAA’s data security and confidentiality requirements.
MedicalPracticeCME.com 