HIPAA Compliance 101
What is HIPAA?
The U.S. Congress ordained the Health Insurance Portability and
Accountability Act (HIPAA) in 1996. Title I of HIPAA protects
health insurance coverage for workers and their families when
they lose or change their jobs. According to title II of HIPAA,
the Administrative Simplification (AS) provisions, requires the
establishment of national standards for electronic health care
transactions and national identifiers for providers, health
insurance plans, and employers. The AS provisions also address
the security and privacy of health data. The purpose of all
these standards is to improve the efficiency and effectiveness
of the nation's health care system by encouraging the widespread
use of electronic data interchange in health care.
The AS provisions are applicable to only 'covered entities'.
Covered entities are those health care providers (e.g. doctors
offices and hospitals) which engage in electronic transactions
as per the HIPAA/EDI rules, health plans (which includes health
insurance companies and employer-sponsored 'group health
plans'), and health care clearing houses.
Applying HIPAA Provisions
Certain key provisions need to be followed for HIPAA compliance.
Individuals should be able to access their records and request
correction of errors. Also, they should be informed about how
their personal information will be used. The 'protected health
information' (PHI) indicates that the information cannot be used
for marketing purposes without the explicit consent of the
patients in question. People should be able to ask their covered
entities (which maintain PHI about them), to ensure that their
communications with the patient are confidential. It should be
possible for people to file formal privacy-related complaints to
the Department of Health and Human Services (HHS) Office for
Civil Rights. Covered entities should document their privacy
procedures, however, they have discretion on what to include in
their privacy procedure. Covered entities are required to
designate a privacy officer and train their employees. Covered
entities can use an individual's information without the
individual's consent if the purposes is to provide treatment,
obtain payment for services and to perform the non-treatment
operational tasks of the provider's business.