Download Brochure

Upload AutoCad Drawing

Contact Lencore Now

HIPAA STATUTORY BACKGROUND

(This text is excerpted from Federal Register/Vol. 67, No 157/8-14-02/Rules & Regulations)


  Congress recognized the importance of protecting the privacy of health information given the rapid evolution of health information systems in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, which became law on August 21, 1996. HIPAA’s Administrative Simplification provisions, sections 261 through 264 of the statute, were designed to improve the efficiency and effectiveness of the health care system by facilitating the electronic exchange of information with respect to certain financial and administrative transactions carried out by health plans, health care clearinghouses and health care providers who transmit information electronically in connection with such transactions. To implement these provisions, the statute directed Health and Human Services (HHS) to adopt a suite of uniform, national standards for transactions, unique health identifiers, code sets for the data elements of the transactions, security of health information and electronic signature.


  At the same time, Congress recognized the challenges to the confidentiality of health information presented by the increasing complexity of the health care industry, and by advances in the health information systems technology and communications. Thus the Administrative Simplification provisions of HIPAA authorized the Secretary to promulgate standards for the privacy of individually identifiable health information.


  With respect to these regulations, HIPAA provided that the standards, implementation specifications, and requirements established by the Secretary not supersede any contrary State law that imposes more stringent privacy protections.


  HHS published a proposed Rule setting forth privacy standards for individually identifiable health information on November 3, 1999. After reviewing and considering public comments, HHS issued a final Rule on December 28, 2000 establishing “Standards for Privacy of Individually Identifiable Health Information” (“Privacy Rule”).


  The Privacy Rule creates for the first time a floor of national protections for the privacy of their (consumers) most sensitive information - health information. Congress has passed other laws to protect consumers’ personal information contained in bank, credit card and other financial records and even video rentals. These health privacy protections are intended to provide consumers with similar assurance that their health information, including genetic information will be properly protected. Under the Privacy Rule, health plans, health care clearinghouses, and certain health care providers must guard against misuse of individuals’ identifiable health information and limit the sharing of such information

The compliance date of the Privacy Rule for most covered entities is April 14, 2003.


  Section 164.502 – Uses and Disclosures of Protected Health Information

General Rules (Excerpted from Federal Register/Vol. 67, No 157/8-14-02/Rules & Regulations)


  The December 2000 Privacy Rule generally requires that covered entities make reasonable efforts to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose. The Privacy Rule requires covered entities to implement the appropriate administrative, technical, and physical safeguards to reasonably safeguard protected health information (PHI) from any intentional or unintentional use or disclosure that violates the Rule.


  Protected Health Information includes individually identifiable health information in any form, including information transmitted orally, or in written or electronic form.


  The Department clarified that the Privacy Rule is not intended to impede customary and necessary health care communications or practices, nor to require that all risk of incidental use or disclosure be eliminated to satisfy the standards.


  The Department continues to believe, as was stated in the proposed Rule, that so long as reasonable safeguards are employed, the burden of impeding such communications is not outweighed by any benefits that may accrue to the individuals’ privacy interests.


  However, an incidental use or disclosure that occurs as a result of a failure to apply reasonable safeguards or the minimum necessary standard, where required, is not a permissible use or disclosure and, therefore, is a violation of the Privacy Rule.


   The Department expects that incidental uses and disclosure will occur and permits such uses and disclosure to the extent that the covered entity has in place reasonable safeguards and has applied the minimum necessary standard.


   Each covered entity should assess the nature of the protected health information it “holds” and the nature and scope of its business, and implement safeguards that are reasonable for its particular circumstances.”


   This means that covered entities must show proof that they have undertaken an appropriate course of action to protect the PHI of consumers.


   HHS has been requested to provide additional definition for what would constitute “reasonable safeguards’ and has stated that in the Federal Register that “reasonable safeguards and minimum necessary standards are flexible and adaptable to the specific business needs and circumstances of the covered entity. Given the discretion covered entities have in implementing these standards it is difficult for the Department to provide specific guidance in this area that would be generally applicable to many covered entities. The minimum necessary standard is intended to make covered entities evaluate their practices and enhance protection as needed to limit unnecessary or inappropriate access to and disclosures of, protected health information.


   The Privacy Rule sets forth requirements for implementing the minimum necessary standard with regard to a covered entity's uses, disclosures, and requests. A covered entity is required to develop and implement policies and procedures appropriate to the entity’s business practices and workforce that reasonably minimize the amount of protected health information used, disclosed, and requested.


The minimum necessary standard is an appropriate standard for uses and disclosures and is not merely an administrative requirement. The Privacy Rule provides adequate flexibility to adopt minimum necessary policies and procedures that are workable for the covered entity, thereby minimizing a covered entity’s liability concerns.

 

Compliance and Enforcement

(Excerpted from Office of Civil Rights/Standards for Privacy of Individually Identifiable Health Information Regulation Text, August 14, 2002)


   HHS may conduct compliance reviews to determine whether covered entities are complying with the applicable standards, requirements and implementation specifications.


   A covered entity must keep records and compliance reports and submit such documentation in an effort to enable the HHS to ascertain whether the covered entity has complied or is complying with the applicable requirements, standards, and implementation specifications.


    If an investigation or a compliance review indicates a failure to comply the HHS will inform the covered entity and if the matter arose from a complaint, the complainant, in writing and attempt to resolve the matter by informal means when possible. If HHS finds the covered entity is not in compliance and determines that the matter cannot be resolved by informal means the HHS may issue to the covered entity, and if the matter arose from a complaint, to the complainant written findings documenting the non-compliance.


Penalties for non-compliance may include but are not limited to:


A. Civil Penalties: $100 per violation up to $25,000 per year for same violation
B. Criminal Penalties for knowing misuse of information $50,000 and/or 1 year in prison; misuse under false pretenses $100,000 and/or 5 years in prison; profiting from release of information $250,000 and/or 10 years in prison


This law does not give individuals a private cause of action. However, citizens can file complaints with HHS that can result in administrative penalties as indicated above.

 

COMPLIANCE DEADLINE


The compliance deadline for the initial implementation of the privacy standards for health care providers, health plans (other than small health plans), and health care clearinghouses is April 14, 2003.
Thereafter, HIPAA provides the HHS with the authority to modify the standards as deemed appropriate, but not more frequently than once every 12 months.


FOR SUPPLEMENTARY INFORMATION


For additional information you may access the Federal Register document on HIPAA in its entirety at the HHS Office for Civil Rights (OCR) Privacy Web site at www.hhs.gov/ocr/hipaa/


You may also order copies of the Federal Register containing this document by calling 202-512-1800 or toll free at 1-866-512-1800 or by fax at 202-512-2250. Cost for each copy is $10.00.