The anatomy of HIPAA.
Title II, entitled "Administrative Simplification," authorized the Department of Health & Human Services to publish new rules that would ensure the standardization of electronic patient health administrative and financial data; unique health identifiers for individuals, employers, health plans and health care providers; and security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future. These rules apply to health care providers, health care clearinghouses and health plans. HIPAA calls for severe civil and criminal penalties for noncompliance including fines up to $25,000 for multiple violations of the same standard in a calendar year and fines up to $250,000 and imprisonment up to 10 years for knowing misuse of individually identifiable health information.
Covered entities adjusted to the privacy rule when it became generally effective two years ago. This week, the security rule becomes generally effective as well.
The Privacy Rule. Compliance with the privacy rule was required as of April 14, 2003, for most covered entities. It is intended to protect the privacy of all individually identifiable health information. The rule established "the first set of basic national privacy standards and fair information practices that provides all Americans with a basic level of protection and peace of mind that is essential to their full participation in their care."
The privacy standards gave patients new rights to access their medical records, to restrict access by others, to request changes and to learn how records have been accessed. The standards restrict most disclosures of protected health information to the minimum needed for treatment and business operations. Furthermore, the standards provide that all patients are formally notified of covered entities' privacy practices and enable patients to decide if they will authorize disclosure of their protected health information for uses other than treatment, payment or health care operations. The rule establishes business associate agreements with business partners that safeguard their use and disclosure of protected health information. Finally, the rule requires covered entities to implement a comprehensive compliance program. This includes conducting an impact assessment to determine gaps between existing information practices and policies and HIPAA requirements; reviewing functions and activities of the organization's business partners to determine where business associate agreements are required; developing and implementing privacy policies and procedures to implement the rule; assigning a privacy officer who will administer the organizational privacy program and enforce compliance; training all members of the workforce on HIPAA and organizational privacy policies; and updating systems to ensure they provide adequate protection of patient data.
The Privacy Rule. The final security rule was published April 21, 2003, with compliance generally required later this week--on Thursday, April 21. It provides for a uniform level of protection for all protected health information that is housed or transmitted electronically. The rule requires covered entities to ensure the confidentiality, integrity and availability of all electronic protected health information the covered entity creates, receives, maintains or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of such information, to protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the privacy rule, and to ensure compliance by their work force. Required safeguards include the application of appropriate policies and procedures; safeguarding physical access to protected information; and ensuring that technical security measures are in place to protect networks, computers and other electronic devices.
The security rule is intended to be flexible. It does not require specific technologies to be used but allows covered entities to elect solutions that are appropriate to their operations as long as the selected solutions are supported by a thorough security assessment and risk analysis.
Covered entities should have familiarized themselves with the specific requirements of the security rule and decided how best to comply with its terms. If they have not, it could be very costly for them in the long run.
Scotty Shively and Brandon Lacy are attorneys with the law firm of Cross Gunter Witherspoon & Galchus in Little Rock. E-mail them at firstname.lastname@example.org and email@example.com.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Health Insurance Portability and Accountability Act|
|Author:||Shively, Scotty; Lacy, Brandon|
|Date:||Apr 18, 2005|
|Previous Article:||'That dog won't hunt'.|
|Next Article:||Retail land.|