HIPPA Facts and Standards

What is HIPAA?

Health Insurance Portability and Accountability Act of 1996 is to protect the privacy of patients' health care information. Each time a patient sees a Doctor, or sends a claim to a health plan, a record is made of their confidential health information.

The use and disclosure of this information is currently protected by a patchwork of state laws, leaving gaps in the protection of patients' privacy and confidentiality. The HIPAA Privacy Standards provides for those gaps, creating a "baseline" for protecting the privacy of individual's health information.

  • HIPAA - Unsure how to handle HIPAA?
  • CMS - Centers for Medicare & Medicaid Services

What is PHI?

Protected Health Information is any and all medical billing records and identifiable patient information used or disclosed by a company in any form; electronically, on paper, or by word of mouth.

  • PHI - More information from the Department of Health and Human Services on how to keep your health information private.

What are some of the things that the regulation requires a company do to be in compliance?

  • Require the patient's authorization before disclosing any health care information to another health care provider regardless of the reason.
  • Implement policies and procedures designed to protect a patient's privacy.
  • Designate a Privacy Office to maintain compliance documentation, and ensure that policies and procedures are followed.
  • Provide a Notice of Privacy Practices to all patients notifying them of their rights and how their information can be used.

What does TPO stand for?

Treatment, Payment, and Health Care Operations is what governs as guidelines to follow in determining where and what exceptions can be made when sharing a patient's Protected Health Information (PHI). TPO determines with whom or when PHI can be shared freely, for patient treatment, to collect payment, and in the operation of a health care office.

  • TPO FAQ - Treatment Payment Operations

Who are the covered entities that are required to comply with the HIPAA regulations?

Health Plans, Health Care Clearing Houses, and Health Care Providers are to go to great lengths to ensure their patients' health information is kept private and safe.

What is the Notice of Privacy Practices?

A notice provided to all patients notifying them of their rights and how their information can and cannot be used. All PHI is to be kept private at all times.

  • HIPAA - Example of downloadable HIPAA forms.

Under HIPAA, Protected Data refers to:

Any patient information that identifies the individual, to include but not limited to name, social security number, subscriber ID number, date of birth, or address.

  • HIPAA Glossary - Yale's essential list of HIPAA terms in policies and procedures.

What are the penalties for HIPAA violations?

Per section 1177 of HIPAA, a person who knowingly uses a unique health identifier, or causes one to be used; obtains individually identifiable health information relating to an individual; or discloses individually identifiable health information to another person; is in violation of HIPAA regulations.

Such persons are subject to the following penalties:

  • a fine of up to $50,000, or up to 1 year in prison, or both;
  • if the offense is committed under false pretenses, a fine of up to $100,000, up to 5 years in prison, or both;
  • if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine up to $250,000.00, or up to 10 years in prison, or both.

HIPAA also provide for civil fines to be imposed by the Secretary of DHHS "on any person" who violates a provision of it. The maximum is $100.00 for each violation, with the total amount not to exceed $25,000.00 for all violations of an identical requirement or prohibition during a calendar year.