Health Insurance and Portability and Accountability Act 101

Healthcare is, perhaps, the most highly regulated industry in the United States. Healthcare compliance is a multi-faceted beast. When considering the issue, it includes complex statues, judicial decision, lots and lots of federal rules, United States Department of Health and Human Services guidance documents, individual state’s Departments of Health regulations, and different standards of accreditation.

Yet the specter which looms the largest in the minds of hospital executives and General Counsel is the set of Privacy and Security Regulations known as HIPAA Health Insurance Portability and Accountability Act of 1996). Billions of healthcare compliance dollars have been spent on HIPAA consulting entities and more, perhaps, on HIPAA lawyers. HIPAA is incredibly cumbersome, outlined in the better part of 800 pages. Penalties for not being in HIPAA compliance can be up to $1.5 million. So, ensuring compliance is amazingly important. As the first rays of daylight often chase away the monsters children are sure they have seen lurking under their beds all night, comprehension of these basic HIPAA tenets can dry the organization’s night sweats by providing clear focus for this healthcare compliance initiative.

The HIPAA regulations are divided into two Rules: HIPAA Privacy and Security. HIPAA Security’s goal is to ensure that HIPAA privacy is in compliance by mandating standards that protect electronic health information of all types. HIPAA Privacy Rules were put together in an effort to keep disclosure or unauthorized utilization of Protected Health Information (PHI). PHI covers both paper and digital medical information. The Privacy Rule states that PHI is any information regarding an individual’s treatment or treatment requests. Privacy covers the dissemination of such information in a way that allows for an individual person to be identified by one or more of 18 ways (photographic likeness, medical record number, etc).

Privacy is a regulation of exclusion; it ensures a patience right to privacy by not allowing PHI from being disseminated for things other than for the purposes of treatment, payment or operations of a healthcare provider or plan, unless it is explicitly authorized by a patient. Exceptions include emergencies, as defined, uses or disclosures required by law, and provision of PHI to third-party contractors whose work requires access to PHI. These contractors are known as Business Associates, and the Privacy Rule requires that they sign contracts known as Business Associate Agreements, in which they agree to follow the precepts of HIPAA in keeping the information confidential. After February 1, 2010 however, these Associates are required to abide by HIPAA, which means that even they must comply with the law’s requirements as though they were healthcare providers or plans.

Healthcare consulting groups and HIPAA lawyers are able to prepare Gap Analysis Reports that help to bring organizations into HIPAA compliance. At their root, the heart of compliance is not complex: only use and disclose patient information for its proscribed purposes. A culture of privacy is already a pervading theme within the cultures of a majority of hospitals. As such, bringing organizations into compliance with these regulations can usually be done without greatly affecting the culture.