Printer Friendly

The anatomy of HIPAA.

HIPAA IS THE HEALTH INsurance Portability & Accountability Act of 1996, which amended the Internal Revenue Service Code of 1986. Title I of this act, which became effective in 1996, dealt with the various concerns--like pre-existing conditions--that have arisen in this modern age of employment in which changing jobs has become much more common.

Title II, entitled "Administrative Simplification," authorized the Department of Health & Human Services to publish new rules that would ensure the standardization of electronic patient health administrative and financial data; unique health identifiers for individuals, employers, health plans and health care providers; and security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present, or future. These rules apply to health care providers, health care clearinghouses and health plans. HIPAA calls for severe civil and criminal penalties for noncompliance including fines up to $25,000 for multiple violations of the same standard in a calendar year and fines up to $250,000 and imprisonment up to 10 years for knowing misuse of individually identifiable health information.

Covered entities adjusted to the privacy rule when it became generally effective two years ago. This week, the security rule becomes generally effective as well.

The Privacy Rule. Compliance with the privacy rule was required as of April 14, 2003, for most covered entities. It is intended to protect the privacy of all individually identifiable health information. The rule established "the first set of basic national privacy standards and fair information practices that provides all Americans with a basic level of protection and peace of mind that is essential to their full participation in their care."

The privacy standards gave patients new rights to access their medical records, to restrict access by others, to request changes and to learn how records have been accessed. The standards restrict most disclosures of protected health information to the minimum needed for treatment and business operations. Furthermore, the standards provide that all patients are formally notified of covered entities' privacy practices and enable patients to decide if they will authorize disclosure of their protected health information for uses other than treatment, payment or health care operations. The rule establishes business associate agreements with business partners that safeguard their use and disclosure of protected health information. Finally, the rule requires covered entities to implement a comprehensive compliance program. This includes conducting an impact assessment to determine gaps between existing information practices and policies and HIPAA requirements; reviewing functions and activities of the organization's business partners to determine where business associate agreements are required; developing and implementing privacy policies and procedures to implement the rule; assigning a privacy officer who will administer the organizational privacy program and enforce compliance; training all members of the workforce on HIPAA and organizational privacy policies; and updating systems to ensure they provide adequate protection of patient data.

The Privacy Rule. The final security rule was published April 21, 2003, with compliance generally required later this week--on Thursday, April 21. It provides for a uniform level of protection for all protected health information that is housed or transmitted electronically. The rule requires covered entities to ensure the confidentiality, integrity and availability of all electronic protected health information the covered entity creates, receives, maintains or transmits. It also requires entities to protect against any reasonably anticipated threats or hazards to the security or integrity of such information, to protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required by the privacy rule, and to ensure compliance by their work force. Required safeguards include the application of appropriate policies and procedures; safeguarding physical access to protected information; and ensuring that technical security measures are in place to protect networks, computers and other electronic devices.

The security rule is intended to be flexible. It does not require specific technologies to be used but allows covered entities to elect solutions that are appropriate to their operations as long as the selected solutions are supported by a thorough security assessment and risk analysis.

Covered entities should have familiarized themselves with the specific requirements of the security rule and decided how best to comply with its terms. If they have not, it could be very costly for them in the long run.

Scotty Shively and Brandon Lacy are attorneys with the law firm of Cross Gunter Witherspoon & Galchus in Little Rock. E-mail them at and
COPYRIGHT 2005 Journal Publishing, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2005 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Health Insurance Portability and Accountability Act
Author:Shively, Scotty; Lacy, Brandon
Publication:Arkansas Business
Article Type:Column
Geographic Code:1USA
Date:Apr 18, 2005
Previous Article:'That dog won't hunt'.
Next Article:Retail land.

Related Articles
ASIS offers online HIPAA training.
HIPAA fact sheets available online.
Understanding the New HIPAA Regulations.
ADA offers HIPAA Security Kit.
HIPAA security rule.
HIPAA compliance aid.
New HIPAA security guidance papers released.
HIPAA compliant wireless security.
HIPAA: an impediment to research.

Terms of use | Privacy policy | Copyright © 2021 Farlex, Inc. | Feedback | For webmasters