what is hipaa?
the health insurance portability & accountability act of 1996 (august 21), public law 104-191, which amends the internal revenue service code of 1986. also known as the kennedy-kassebaum act.
hipaa health insurance reform
title i of the health insurance portability and accountability act of 1996 (hipaa) protects health insurance coverage for workers and their families when they change or lose their jobs. visit this site to find out about pre-existing conditions and portability of health insurance coverage.
hipaa administrative simplification
the administrative simplification provisions of the health insurance portability and accountability act of 1996 (hipaa, title ii) require the department of health and human services to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. it also addresses the security and privacy of health data. adopting these standards will improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in health care.
hipaa administrative simplification </hipaa/hipaa2/default.asp>
the bottom line: sweeping changes in most healthcare transaction and administrative information systems.
who is affected?
all healthcare organizations. this includes all health care providers, even 1-physician offices, health plans, employers, public health authorities, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations, and universities.
are there penalties?
hipaa calls for severe civil and criminal penalties for noncompliance, including: -- fines up to $25k for multiple violations of the same standard in a calendar year -- fines up to $250k and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information
most entities have 24 months from the effective date of the final rules to achieve compliance. normally, the effective date is 60 days after a rule is published.
the transactions rule was published on august 17, 2000. so the compliance date for that rule is october 16, 2002.
the privacy rule was published on december 28, 2000, but due to a minor glitch didn't become effective until april 14, 2001. compliance is required for the privacy rule on april 14, 2003.
the security rule was published on february 20, 2003. regulation effective date: april 21, 2003. compliance date: april 21, 2005 for most covered entities (april 21, 2006 for small health plans).
history: how did we get hipaa?
administrative simplification under hipaa:
national standards for transactions, security, and privacy
updated march 3, 2003
overview: to improve the efficiency and effectiveness of the health care system, the health insurance portability and accountability act (hipaa) of 1996 included a series of "administrative simplification" provisions that required the department of health and human services (hhs) to adopt national standards for electronic health care transactions. by ensuring consistency throughout the industry, these national standards will make it easier for health plans, doctors, hospitals and other health care providers to process claims and other transactions electronically. the law also requires the adoption of security and privacy standards in order to protect personal health information.
hhs is issuing the following major regulations:
electronic health care transactions (final rule issued);
health information privacy (final rule issued);
unique identifier for employers (final rule issued);
security requirements (final rule issued);
unique identifier for providers (proposed rule issued; final rule in development);
unique identifier for health plans (proposed rule in development); and
enforcement procedures (proposed rule in development).
although the hipaa law also called for a unique health identifier for individuals, hhs and congress have indefinitely postponed any effort to develop such a standard.
under hipaa, most health plans, health care clearinghouses and health care providers who engage in certain electronic transactions have two years from the time the final regulation takes effect to implement each set of final standards.
more information about the hipaa standards is available here on hipaadvisory.com, hhs' administrative simplification web site <http://aspe.hhs.gov/admnsimp/
>, and cms' hipaa web site <http://www.cms.gov/hipaa
why a law was needed:
concerns about the lack of attention to information privacy in the health care industry are not merely theoretical. in the absence of a national legal framework of health privacy protections, consumers are increasingly vulnerable to the exposure of their personal health information. disclosure of individually identifiable information can occur deliberately or accidentally and can occur within an organization or be the result of an external breach of security.
examples of recent privacy breaches include:
* a michigan-based health system accidentally posted the medical records of thousands of patients on the internet (the ann arbor news, february 10, 1999).
* a utah-based pharmaceutical benefits management firm used patient data to solicit business for its owner, a drug store (kiplingers, february 2000).
* an employee of the tampa, florida, health department took a computer disk containing the names of 4,000 people who had tested positive for hiv, the virus that causes aids (usa today, october 10, 1996).
* the health insurance claims forms of thousands of patients blew out of a truck on its way to a recycling center in east hartford, connecticut (the hartford courant, may 14, 1999).
* a patient in a boston-area hospital discovered that her medical record had been read by more than 200 of the hospital's employees (the boston globe, august 1, 2000).
* a nevada woman who purchased a used computer discovered that the computer still contained the prescription records of the customers of the pharmacy that had previously owned the computer. the pharmacy data base included names, addresses, social security numbers, and a list of all the medicines the customers had purchased. (the new york times, april 4, 1997 and april 12, 1997).
* a speculator bid $4000 for the patient records of a family practice in south carolina. among the businessman's uses of the purchased records was selling them back to the former patients. (new york times, august 14, 1991).
* in 1993, the boston globe reported that johnson and johnson marketed a list of 5 million names and addresses of elderly incontinent women. (aclu legislative update, april 1998).
* a few weeks after an orlando woman had her doctor perform some routine tests, she received a letter from a drug company promoting a treatment for her high cholesterol. (orlando sentinel, november 30, 1997).
no matter how or why a disclosure of personal information is made, the harm to the individual is the same. in the face of industry evolution, the potential benefits of our changing health care system, and the real risks and occurrences of harm, protection of privacy must be built into the routine operations of our health care system.
privacy breaches info from part 1 of law: