Welcome back to our ultimate guide to HIPAA series. We’re at the second part of our three-part series, where we dissect the ins and outs of the HIPAA guidelines. As a HIPAA compliant call center, we decided to run this three-part series to help you have a better understanding of how HIPAA words.
Let’s get back to where we left off.
On healthcare fraud and abuse prevention, administrative simplification, and medical liability reform
Title II of the HIPAA defines guidelines, policies, and procedures for how the security and privacy of identifiable health information of individuals ought to be maintained. Title II also outlines a number of offenses related to healthcare and sets the criminal and civil penalties for the violations of such offenses.
Though several programs were created under Title II to limit abuse and fraud within the healthcare system, perhaps its most significant provisions are its administrative simplification rules.
The title required the Department of Health and Human Services (HHS) to formulate rules that focus on increasing the current health care system’s efficiency by creating standards for healthcare information use and dissemination.
These rules are applied to what HIPAA and the HHS define as “covered entities.” These entities include health care providers with healthcare data transmission regulated by the HIPAA, health plans, and healthcare clearinghouses (such as community health information systems and billing services).
As required by Title II, five rules were promulgated by the HHS regarding Administrative Simplification, namely:
- The Security Rule;
- The Enforcement Rule;
- The Privacy Rule;
- The Unique Identifiers Rule; and,
- The Transactions and Code Sets Rule.
The Final Rule on HIPAA’s Security Standards was announced on February 20, 2003, taking effect on April 21, 2003, with its compliance date of up to April 21, 2006.
The Security Rule specifically deals with Electronic Protected Health Information (EPHI). Three types of security safeguards were laid out and required for compliance, namely: administrative, physical, and technical.
The rule has identified various security standards for each type, and it also named both addressable implementation specifications and required specifications for each standard.
Required specifications are those that have to be adopted and administered as how the rule stipulates and dictates. Addressable specifications, on the other hand, are more flexible, as individual covered entities are given the privilege to evaluate their situation with these types of specifications and determine what the best way of implementing these are.
The complete details on the specific standards and specifications of the security rule can be read by clicking on the link in the resource section of this guide.
The HHS issued the Final Rule regarding the implementation of HIPAA on February 16, 2006. This rule took effect on March 16, 2006.
The Enforcement Rule has civil money penalties set for violating HIPAA standards and also has procedures for hearings and investigations for HIPAA violations established, as many years have passed with only a limited number of prosecutions for violations.
As of March 2013, there have been over 19,306 cases investigated by the HHS that have been resolved by requiring corrective actions or changes in privacy practice.
There have been many complaints investigated against multiple types of businesses, such as primary healthcare centers, national pharmacy chains, hospital chains, insurance groups, and other small providers.
According to the official website of HHS, the following is a list of issues that have often been reported according to frequency:
- PHI misuse and disclosure;
- No protection where health information is located;
- Patients not being able to access their medical information;
- Disclosing or using more than the necessary minimum amount of protected health information needed; and,
- No electronic protected health information safeguards.
The Privacy Rule’s effective compliance date was April 14, 2003, with a year’s worth of extension for “small plans.”
The Privacy Rule of HIPAA regulates how Protected Health Information (PHI) that are held by covered entities are being used and disclosed. Per HHS regulation, the HIPAA privacy rule is also extended to independent contractors working with covered entities that fit the definition of “business associates.”
PHI is any information that is held by a covered entity that involves healthcare payment, healthcare provision, or health status that possibly can be linked to an individual. This definition of PHI is interpreted quite broadly and also includes any portion of a person’s payment history and medical record.
Within 30 days upon request, covered entities have to disclose PHI to requesting individuals. They are also required to disclose PHI whenever required to do such by law.
However, covered entities are not allowed to disclose PHI without the patient’s written expressed authorization for health care operations, payment, or to facilitate treatment. Any other PHI disclosure requires written consent from the individuals to be obtained by covered entities.
Also, when covered entities disclose any PHI, a reasonable effort has to be made to keep the necessary information disclosed to the bare minimum needed to achieve its purpose.
Unique identifiers rule
HIPAA covered entities are required to use the National Provider Identifier (NPI) to identify health care providers that are covered in standard transactions starting from May 23, 2007 (or May 23, 2008, for small health plans).
All covered entities that use electronic communications, such as health insurance companies, hospitals, physicians, and so forth, have to use a single new NPI starting May 2006 (or May 2007 for small health plans).
Though NPI replaces all other types of identifiers used by Medicaid, Medicare, health plans, and other government programs; the NPI still does not take the place of the tax identification number, state license number, and DEA number of a provider.
The NPI contains ten digits, may be alphanumeric, and has its last digit as a checksum. The NPI is simply an ordinary number that does not provide any additional meaning in itself and does not contain any intelligence embedded within it.
The NPI is never re-used and is unique and national. Except for institutions, a provider usually can have only a maximum of one. Organizations may obtain multiple NPIs if they have different parts or subparts of itself, such as a rehab facility or a freestanding cancer center.
Transactions and code sets rule
With intentions to make the current healthcare system in the United States much more efficient by having healthcare operations standardized, HIPAA added to Title XI of the Social Security Act a new Part C that is titled “Administrative Simplification.”
This added part aims to simplify healthcare transactions by necessitating health plans to engage in all healthcare transactions in a format that is standardized.
Health plans that are covered by HIPAA are now required to use standardized electronic transactions. A number of electronic data interchange transactions are currently being used for HIPAA compliance. More about this can be read about by clicking the link in the resource section below.
HHS received about 91,000 complaints between April 2003 and January 2013 for HIPAA violations. 22,000 of these led to various kinds of enforcement actions, while 521 resulted in criminal action referrals to the Department of Justice.
There are two types of penalties that can be incurred: civil penalties and criminal penalties. The most prominent difference between the two is that civil penalties do not include imprisonment while criminal penalties do.
For a clear comparison of the differences of civil and criminal penalties, the following are some examples of violations that may incur civil penalties:
- Individuals not knowing that they violated the HIPAA even after exercising reasonable diligence;
- HIPAA violation that is due to reasonable cause but not due to willful neglect;
- HIPAA violation that is due to willful neglect, but the violation was corrected within the specified or required time; and,
- HIPAA violation that is due to willful neglect and was not corrected.
While the following are examples of violations that may incur criminal penalties:
- Specified individuals and covered entities who “knowingly” disclosed or obtained individually identifiable PHI in an unauthorized manner;
- Offenses that were committed under false pretenses; and,
- Offenses that were committed with intent to transfer, sell, or use individually identifiable PHI for personal gain, commercial advantage, or malicious harm.
Part three of your ultimate HIPAA guide soon
While we tried our best to add the most crucial parts of the second title of HIPAA, the guide we shared is by no means complete.
If you still would like to read more on the contents of Title II: Preventing health care fraud and abuse; administrative simplification; medical liability reform of the Health Insurance Portability and Accountability Act of 1996, do check out the resource section of this guide, and click on the link below.
Stick around for Part Three of Your Ultimate Guide to HIPAA.
(Note: If you are looking for a HIPAA compliant call center to assist you with administering your customer’s sensitive medical records. Contact us now.)