HIPAA

The HIPAA Compliance Office assists Medicaid beneficiaries in exercising their rights, including requests for claims records, handles HIPAA complaints against the Agency and advises AHCA on how to comply with HIPAA.

The Health Insurance Portability and Accountability Act (HIPAA)1 was passed on August 21, 1996. Among other things, it included rules covering administrative simplification, including making healthcare delivery more efficient. Portability of medical coverage for pre-existing conditions was a key provision of the act as was defining the underwriting process for group medical coverage. It also provided standardization of electronic transmittal of billing and claims information.

Congress recognized that standardizing the electronic means of paying and collecting claims data increased the potential for abuse of people's medical information. So a key part of the act also increased and standardized confidentiality and security of health data. HIPAA privacy regulations require that access to patient information be limited to only those authorized, and that only the information necessary for a task be available to them. And finally that personal health information must be protected and kept confidential.

Congress did not get around to finalizing the actual regulations on the time schedule set up. Instead they passed that responsibility to the Department of Health and Human Services. The final version of the HIPAA Privacy regulations were issued in December 2000, and went into effect on April 14, 20012. A two-year "grace" period was included; enforcement of the HIPAA Privacy Rules on April 14, 2003. So HIPAA has been to law since then. The April 14, 2003 deadline is when the penalties can be applied for non-compliance.

The Rules are not set in stone; periodically the Department of Health and Human Services will propose changes or issue updates, clarifications, and explanations (aka "guidance"). When a change is suggested, it is followed by a period of public comment. During the comment period, the suggested changes may be modified or withdrawn. After the comment period, the change may be put into effect.

Prior to HIPAA, there was no uniformity; rules and regulations varied from state to state, and even from one healthcare organization to another. If an organization was doing business in multiple states, were they subject to the rules of the state where each office was located, or by the rules of the state where the headquarters was located? Should they follow state regulations, or federal?

HIPAA provides for a uniform, basic level of security and privacy throughout the country. (Where existing state laws are more strict, they supersede HIPAA.)

For example, when sending a referral to another office they only need to know the medical history, and not the billing information. Therefore they should only be given the medical history. Or, when sending items to accounting for billing purposes, only the information necessary to process that should be sent; there is no need to see the whole medical history, just the codes for current work, possibly a few notes, and the patient identifier.

Some of the regulations are straight forward and very black and white. However, many of the regulations are very subjective. Basically, a healthcare provider needs to examine the requirements, take a look at current way things are being handled, particularly the personal health information, and apply the regs how they make the most sense.

When the day comes and the question is asked, is your firm HIPAA compliant, can you say your firm did the best job possible? If you can document that with our HIPAA manual, you probably won't have any problems. If you can't, or worse made no effort to be compliant, beware, the fines are potentially immense.

Think of HIPAA as legislated common sense when it comes to protecting the personal, private and confidential information relating to the client's of your firm. How would you want your personal information protected? That is what we provide on this web site. A step by step procedure to assist you in the this process. When you have completed all the modules, you will have a HIPAA manual for your firm. It is up to you to implement the procedures in your firm. All your employees must be trained in the importance of protecting PHI. Ultimately the principals of a healthcare firm will be held responsible for the actions of the firm and its employees.

As a quick example of how easily PHI can get out of an office, recently one of our staff took his mother to her doctor's office for an appointment. Being aware of HIPAA, he quietly observed the procedures of the clinic, which is part of a major group in Minneapolis. When his mother was taken into the room with her MD, he wandered around the office and was able to pick up client files and page though them. The files were in clear view, no one stopped him or even paid any attention to what he was doing! This is not HIPAA compliance. Those files should be treated as if they are all precious, because HIPAA makes them so. HIPAA is risk management.

1. Public Law 104-191, aka the Kennedy Kassebaum Act.
2. Normally, rules go into effect 60 days after publication in the Congressional Record. Due to a glitch, the rules did not go into effect until April 14th 2003 instead of in February of 2001.