|
What's New
What is HIPAA?
Who must comply to HIPAA?
When is the deadline for compliancy?
What kind of information is protected?
What measures must be taken to protect information?
Who enforces HIPAA?
What are the penalties for non-compliance?
HIPAA links
As practices begin to digest and utilize the new HIPAA regulations, common sense is being interjected within the
guidelines. There are many basic steps to place yourself in compliane with HIPAA. For most practices, however,
these regualtions will not result in dramatic changes to your filing systems. You should expect many subtle changes
to take place, especially in communication between patients and your practice
There are many ways to help you gain further compliance. e-mail or call us for more info.
What's New ...
CMS has now published the HIPAA Model Compliance Extension Form, which can be used by covered entities to
request a one year extension to the October 16, 2002 compliance date for standard transactions and code sets.
The form (and a soon to be available electronic submission option) can be accessed at:
http://www.cms.gov/hipaa
Proposed Changes to HIPAA Privacy Regulations
On March 21, 2002, the Department of (HHS) Health and Human Services issued additional information regarding the HIPAA
privacy regulations. Slated to take effect April 26, 2002 (following the mandated 30 day comment period after publication
in the Federal Register on March 27, 2002), this proposed rule modification for the Standards for Privacy of Individually
Identifiable Health Information makes the implementation of HIPAA somewhat easier for providers. Although additional modification
will likely be made, this rule modification will help clarify HHS’s intentions regarding HIPAA privacy.
To see HHS's press release, “MODIFICATIONS TO THE STANDARDS FOR PRIVACY OF INDIVIDUALLY IDENTIFIABLE HEALTH
INFORMATION -- FINAL RULE” go to: www.hhs.gov/news/press/2002pres/20020809.html
Go to www.hhs.gov/news/press/2002pres/20020321.html
for the Health and Human Services Fact Sheet. For additional information go to www.hhs.gov/ocr/hipaa/
What is HIPAA?
To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability
Act (HIPAA) of 1996 included a series of "administrative simplification" provisions (Transactions and Code Sets,
Privacy and Security) that required the Department of Health and Human Services (HHS) to adopt national standards for electronic
health care transactions. By ensuring consistency throughout the industry, these national standards will make it easier for health
plans, doctors, hospitals and other health care providers to process claims and other transactions electronically.
Who must comply to HIPAA?
As required by HIPAA, the final regulation covers health plans, health care clearinghouses, and those health care providers
who conduct certain financial and administrative transactions electronically. The provisions of the final rule generally
apply equally to private sector and public sector entities. Those that are not doing electronic transactions are still mandated
to comply with the Privacy and Security rules.
When is the deadline for compliancy?
The Transactions and Code Sets Rule compliance date is October 16, 2002. However, bill # HR3323 allows entities to delay
their compliance until October 16, 2003, by filing for a deadline extension. To qualify for the deadline extension, entities
must submit a compliance plan to the Secretary of DHHS by October 16, 2002. The plan must include a budget, schedule, work plan
and an implementation strategy for achieving compliance (with industry wide testing completed by April 2003). Those entities
that do not file for an extension must comply by the original Oct. 16, 2002 deadline.
The bill also requires that most Medicare claims be submitted electronically to the Centers for Medicare and Medicaid
Services (CMS) as a condition of payment. The exceptions are if there is no methods available other than in written
form and for smaller providers (defined as having fewer than 25 full time equivalent employees for facilities or 10
for physician practices). * Many large payers and CMS have said if they receive an increase in paper claims, it could
impact on the timeliness of payment.
As required by the HIPAA law, most covered entities have two full years - until April 14, 2003 - to comply with the
privacy rule's provision. The law gives HHS the authority to make appropriate changes to the rule prior to the compliance
date. Small health plans have until April 14, 2004 (small health plans are defined as having less than $5 million in
annual receipts).
What kind of information is protected?
All medical records and other individually identifiable health information used or disclosed by a covered entity in any
form, whether electronically, on paper, or orally, are covered by the final rule.
What measures must be taken to protect information?
The Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure
of and requests for Protected Health Information (PHI) to the minimum necessary to accomplish the intended
purpose. The minimum necessary standard is intended to make covered entities evaluate their practices and
enhance protections as needed to prevent unnecessary or inappropriate access to PHI. It is intended to reflect
and be consistent with, not override, professional judgment and standards. Therefore, it is expected that
covered entities will utilize the input of prudent professionals involved in health care activities when
developing policies and procedures that appropriately will limit access to personal health information
without sacrificing the quality of healthcare.
Who enforces HIPAA?
The Department of Health and Human Services will be responsible for determining if institutions are HIPAA
compliant as well as assessing penalties and fines for violations. In addition to HHS, institutions should
be concerned with the potential of private lawsuits citing HIPAA violations.
What are the penalties for non-compliance?
Civil penalties
Health plans, providers and clearinghouses that violate these standards will be subject to civil liability.
Civil money penalties are $100 per violation, up to $25,000 per person, per year for each requirement or
prohibition violated.
Federal criminal penalties
Under HIPAA, Congress also established criminal penalties for knowingly violating patient privacy. Criminal
penalties are up to $50,000 and one year in prison for obtaining or disclosing protected health information;
up to $100,000 and up to five years in prison for obtaining protected health information under "false
pretenses"; and up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health
information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.
HIPAA links
Department of Health and Human Services
aspe.hhs.gov
Consider this your official starting point for access to HIPAA documentation submitted to or by the government.
This Administrative Simplification site offers calendars, proposed rules, implementation timetables, news,
meeting minutes, full text regulatory documents and FAQs on HIPAA. It also has published the public comments to
all proposed HIPAA regulations.
Health Care Financing Administration
http://www.hcfa.gov
http://www.hcfa.gov/medlearn/hipaa.htm
These sites provide information on unique identifiers, Medicare EDI and other HIPAA inititatives concerned with health insurance.
|
