Late Farrah Fawcett, a well known television and film actress, was in the news few years ago, when it was discovered that data pertaining to her health issues was leaked to the newspapers. It can be said that a celebrity is always at the center of attention and is susceptible to the act of compromising confidential information broke a federal law. The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 to avoid unauthorized access to confidential data, and this is what all business related to the medical field must comply with.
Who recognizes HIPAA?
If you are employed by an organization that gathers health data from individuals, you are termed as a ‘covered entity’, and you are expected to adhere to this law. Covered entities encompass the following:
- Healthcare centers and clinics.
- Insurance players in the health and medical space.
- Private practitioners – includes general and specialized practice doctors and others.
- Psychiatrists and Psychologists
- Medical billing outlets and collection companies.
Whether you employ a few or many people, safeguarding patient data is of paramount importance.
Records secured by HIPAA
Patients going to a healthcare center or a clinic must be guaranteed of discretion. It is necessary that confidential records are not compromised and cannot be accessed by people who do not have the required authority. Medical data secured by these federal laws encompass, but are not restricted to:
- Prescription data.
- Medical history logs.
- Appointment records.
- Phone and voicemail data.
- Insurance documents.
- Billing records.
Complying with HIPAA requirements
Old and obsolete patient records must be destroyed to ensure the patient’s privacy. A company adhering to HIPAA rules must be ready to exterminate documents in accordance with policies. Any and all documents have to be shredded thoroughly as just dumping papers cannot assure security – any person with a malicious intent could go through the garbage and obtain important personal information. Retaining the services of a professional is a sure way to ensure your safety also.
Adhering to the HIPAA pertinent to your business will provide you with the peace of mind needed to run without any hitches.
HIPAA Safety Rule creates a system for Patient Safety Organizations (PSOs) that collects and analyzes data received from medical care providers and checks any medical errors in them. This is done to increase patient safety and quality health care in US. HIPAA safety rule provides patient safety work product (PSWP) to ensure fair usage of the information.
PSWP is the data (1) developed or accumulated by health care providers to send to a PSO that has been enlisted for Healthcare Research and Quality and is recorded in the patient safety evaluation system of the health care provider; (2) created by a PSO to conduct activities relating to patient safety; or (3) that identifies deliberations and the fact of a safety evaluation system for patients.
PSWP is a completely confidential and should be disclosed in only a handful of situations. This product should be held as confidential protected, no matter who is holding it.
If a person things that a covered entity under HIPAA or an individual has violated the safety and privacy rules and have disclosed PSWP, he or she can file an HIPAA complaint. This complaint can be filed with OCR who is responsible to investigate any filed HIPAA complaints and enforce all provisions of privacy and safety rule.
The OCR will investigate and provide all possible technical assistant to the complainant and help them get and informal resolution by persuading the violators to comply with the norms voluntarily. If OCR can’t get an informal resolution, the Secretary can ask the violator to pay a fine of up to $11,000 for every unlawful disclosure.
Following requirements should be fulfilled, in order to file an HIPAA complaint:
- It should be in writing and can be sent through email, mail or fax.
- The person who is the subject of complaint should be named in the complaint and all the alleged violations of HIPAA done should be described thoroughly.
- The complaints should filed in 6 months or 180 days following the realization of the violation. But in case there is a good reason, OCR can extend this time limit.
Anyone can file an HIPAA complaint as soon as he realizes that his or her privacy has been violated by any covered entity.
Administrative Simplification is special provision which was included in Health Insurance Portability and Accountability Act of 1996 (HIPAA) to make it more efficient and effective. Administrative Simplification requires HHS to handle electronic health care, health identifiers, and security through national standards. These provisions were created by US congress which promptly realized that as the technology advances, the risk of invasion of medical privacy can increase. Thus, these provisions were incorporated in HIPAA that made it mandatory to adopt Federal privacy protections to protect identifiable medical information.
Privacy Rule was finalized in December 2000 and was modified in 2002. Privacy Rule creates national standards for three kinds of covered entities:
- Health care clearinghouses
- Health plans
- Health care providers
All of these covered entities perform electronic transactions of health care information, in their own way and they were required to start compliance with this rule from April 14, 2003. Smaller health care plans could start their compliance a year later.
In February 2003, a Security Rule was established to create national standards of confidentiality, access and integrity EPHI (electronic protected health information). Both Privacy rule and security rule are governed by OCR; while other Administrative Simplification Rules in HIPAA are governed by the Centers for Medicare & Medicaid Services.
These rule include:
- Employer Identifier Standard : This rule creates standard for a employer identifier and its usage by Health care providers, health plans and health care clearinghouses
- Transactions and Code Sets Standards – These consist of two rules. In first rule, HHS owns a new Medicaid subrogation standard for pharmacy claims. In the second rule, HHS has modified the standard code sets for medical data.
- National Provider Identifier Standard: The National Provider Identifier is a HIPAA Administrative Simplification Standard. This is an identification number given to help covered doctors and other health care providers.
Besides these, another rule called Enforcement Rule creates standards to enforce all Administrative Simplification Rules. 45 CFR Parts 160, 162, and 164 includes all HIPAA Administrative Simplification Rules.