HIPAA stands for “Health Insurance Portability and Accountability Act” (HIPAA). President Bill Clinton signed the bill into law on August 21, 1996. It is said to be the most significant act of Federal legislation to affect the health care industry since Medicare and Medicaid were rolled out in 1965. The law officially became effective on July 1, 1997.
HIPAA required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations to protect the privacy and security of certain health information.
So, who needs to be HIPAA compliant? Here’s a list:
- covered healthcare providers (hospitals, clinics, regional health services, individual medical practitioners) who carry out transactions in electronic form
- healthcare clearinghouses (billing services, repricing companies, community health management information systems, information systems, and value-added networks)
- health plans (including insurers, HMOs, Medicaid, Medicare prescription drug card sponsors, flexible spending accounts, public health authority, in addition to employers, schools or universities who collect, store or transmit EPHI, or electronic protected health information)
- a company’s business associates (including private sector vendors and third-party administrators)
The Privacy Rule creates national standards for the protection of certain health information and it applies to all forms of individuals’ protected health information, whether it is electronic, written, or oral. The major goal of the Privacy Rule is to make sure your health information is properly protected, while the flow of health information needed to provide high quality care continues.
The Privacy Rule covers a health care provider whether it electronically transmits these transactions directly or uses a billing service or other third party to do so on its behalf.
For the average health care provider or health plan, the Privacy Rule requires activities, such as:
- Notify patients about their privacy rights and how their information can be used.
- Adopt and implement a privacy procedures for its practice, hospital, or plan.
- Train employees so they understand the privacy procedures.
- Designate an individual to be responsible for seeing the privacy procedures are adopted and followed.
- Secure patient records containing individually identifiable health information so they are not readily available to those who do not need them.
Your Personal Rights Under HIPAA
Many of us believe our medical and other health information should be kept private and protected and most want to know who has access to this private information. The Privacy Rule gives you some rights over your health information and sets limits on who can look at and receive your health information.
The following information is protected for each individual:
- information your doctors, nurses, and other health care providers put in your medical record
- conversations your doctor has about your care or treatment with nurses and others
- information about you in your health insurer’s computer system
- billing information about you at your clinic
- most other health information about you held by those who must follow these laws
Health Care Provider Responsibilities
Covered entities are defined in the HIPAA rules as the following:
- health plans
- health care clearinghouses
- health care providers who electronically transmit any health information in connection with transactions for which HHS has adopted standards
Generally, these transactions concern billing and payment for services or insurance coverage. For example, hospitals, academic medical centers, physicians, and other health care providers who electronically transmit claims transaction information directly, or through an intermediary to a health plan, are covered entities. Covered entities can be institutions, organizations, or persons.