HIPAA Laws 101
HIPAA laws are simply designed to protect patient privacy, but from "covered entities" to "PHI" they often leave healthcare professionals scratching their heads in confusion.
Here we answer some frequently asked questions about HIPAA regulations and how they affect day-to-day operations. Remember, though, this is only a quick-start guide, and a comprehensive review of HIPAA laws can be found on the HHS website.
1. What are HIPAA laws?
HIPAA laws were passed in 1996 to protect a patient's personal health information (PHI), which includes medical records, conversations with doctors about treatment, and health insurance details. Any organization which has access to your PHI must comply with industry-wide standards for safeguarding information, limiting its use, and ensuring that when it is disclosed, it is done so appropriately, and when necessary with the patient's authorization .
2. What is the HIPAA Privacy Rule?
The Privacy Rule must be followed by any entity that transmits health information. It requires that the use or sharing of any "individually identifiable health information," whether electronic, paper or oral be authorized by the patient first. Organizations comply with the HIPAA Privacy Rule by implementing various privacy policies, including designating an in-house privacy official, training management and staff periodically, safeguarding data, and more. See HIPAA Compliance Issues for more information.
3. Who needs to observe HIPAA regulations regarding privacy?
Pretty much ANYONE who handles or transmits your PHI must comply with HIPAA regulations, from the secretary at the dentist's office to a health insurance provider. These people or organizations are called "covered entities" in HIPAA speak, and they include health care providers, any clerical organizations that have access to you PHI, clinics' offices, insurance companies and even your doctors themselves.
In addition, business associates, or any organization which performs services on behalf of a "covered entity", such as data analysis or consulting, must observe HIPAA laws. They are often required to sign a contract guaranteeing to safeguard the patient's PHI.
4. What is the HIPAA Security Rule?
This regulation sets national standards designed to protect health information that is held in an electronic format. It outlines efficient new technologies for everyone from providers to billing companies to protect patient information. It protects your PHI by implementing security safeguards, such assuring confidentiality, integrity and availability of information, and protecting against prohibited use or disclosure. This rule also demands full employee compliance from covered entities.
5. What happens if my office, a covered entity, isn't in compliance?
The Department of Health and Human Services, which oversees HIPAA laws, can issue fines ranging from $100 for an unintentional non-compliance, to $50,000 for willful neglect of regulation. More serious infractures can incur a fine of $250,000 and even a prison sentence, so start educating yourself and your staff today!