The Health Insurance Portability and Accountability Act (HIPAA) also
known as the Kennedy-Kassebaum Bill, K2, and Public Law 104-191, was
enacted by the United States Congress in 1996. Health Insurance Reform:
Security Standards; Final Rule; Privacy Rule (45 CFR Part 160, 162,
and 164) adopts standards as required under HIPAA. http://www.hhs.gov/ocr/hipaa/finalreg.html
HIPAA gives the Department of Health and Human Services (HHS) the
authority to mandate the use of standards for the electronic exchange
of healthcare information and specify the types of measures required
to protect the security and privacy of personally identifiable healthcare
information. http://www.hhs.gov/ocr/hipaa/
The HIPAA regulations apply to:
- Healthcare providers
- Healthcare payers such as health plans and health insurance
providers, HMO’s and Medicare
- Clearinghouses of health information
- Employers providing heath insurance that have assess to Private
Health Information (PHI)
- Entities that have PHI access for other reasons such as on-site
clinics.
HIPAA http://aspe.hhs.gov/admnsimp/pl104191.htm
was designed to allow individuals to qualify immediately for
comparable health insurance coverage when they change employment
associations and, through a separate set of provisions, Administrative
Simplification, mandated security standards to protect
every person’s health information, while permitting the appropriate
access and use of that information by healthcare providers,
clearinghouses, and health plans. Prior to HIPAA, there were
no standards in the healthcare industry that address all aspects
security of electronic protected health information while it
is being used, in storage, or when exchanged between entities.
The four regulatory components of Administrative Simplification
are:
- Transaction Code Set regulations which establish
a uniform standard of data elements used to document reasons
patients are seen and the procedures performed during healthcare
visits.
- National Provider Identifiers (NPI) regulations
establish the standard unique health identifier for healthcare
providers to simplify administrative processes, to improve
accuracy of data, and reduce costs.
Privacy rules define the rights of individuals and security
rules define the process of technology required to ensure privacy.
- Privacy regulations which establish standards for
protecting individually identifiable health information
and for guaranteeing the rights of individuals to have additional
control over such information.
- Security regulations which establish standards
for the security of electronic protected health information
(PHI). These standards include: administrative safeguards
(security management, information access, contingency planning,
etc); physical safeguards (physical access to information
within buildings, floors, departments, workstations, back-up
tapes, etc), and technical safeguards (user software
access rights, tracking access, etc).
The Privacy Rule establishes new procedures and safeguards that
restrict the circumstances under which a covered entity may
give individually identifiable health information or protected
healthcare information (PHI) to law enforcement officers. Law
enforcement may not access PHI without a warrant or other prior
legal processes when attempting to identify or locate a suspect.
The Rule specifically prohibits disclosure of DNA information
without, for example, a warrant or other legal requirement.
The Privacy Rule also protects victims of domestic violence
or abuse. Under most circumstances, law enforcement cannot obtain
PHI information about such victims without their permission
to the covered entity. This restriction is currently not required
by the majority of States. On the other hand, however, State
Laws that impose additional restrictions to the Privacy Rule
must be applied; the Rule sets the national floor for legal
safeguards.
The Privacy Rule allows covered entities to disclose (PHI) to
law enforcement officials without the individual’s written authorization
under certain circumstances(45 CFR 164.512(f)):
- To comply with a court order
- To respond to an administrative request from a law enforcement
official
- To respond to a request for PHI for purposes of identifying
or locating a suspect, fugitive, material witness, or missing
person (specific limitations are defined).
The HIPAA Privacy rule does not modify the Common Rule. Where
both the Privacy Rule and the Common Rule apply, both regulations
must be followed. The Privacy Rule regulates only the contents
and conditions or the documentation that covered entities must
obtain before using or disclosing protected health information
for research purposes.
The Rule permits a covered entity to “reasonably rely” on a
researchers documentation of an IRB or Privacy Board that the
requested information is the minimum necessary for the research
purpose (45 CFR 164.514(d) (3) (iii). Documentation is acceptable
from either an external IRB or Privacy Board or ones associated
with the covered entity.
HIPAA establishes the essential rules that all juvenile justice
professionals must follow when using or sharing youth healthcare
information for research and in practice. Juvenile justice professionals
are also responsible for identifying and adhering to more stringent
rules that have been enacted by some State and local governments
and other Federal regulations for which the Privacy Rule does
not impede. Specific conditions and requirements of disclosures
are defined in Part 164 (Security and Privacy) of the Privacy
Rule: (http://www.access.gpo.gov/nara/cfr/waisidx_02/45cfr164_02.html).
The Department of Health and Human Services Office for Civil
Rights enforces penalties for failure to comply with HIPAA which
may include both civil and criminal punishment. Civil penalties
include penalties of one hundred dollars per violation to $25,000
per calendar year and criminal penalties up to 10 years imprisonment
and a $250,000 fine.
|
