HIPAA is the acronym for the Health Insurance Portability and Accountability Act. Although HIPAA covers many things, physicians typically are most concerned with HIPAA’s Administrative Simplification provisions, and particularly the Privacy, Security and Breach Notification requirements. Since it was originally enacted, HIPAA has been amended and expanded several times as a result of new laws and regulations. The most sweeping change resulted from the Health Information Technology for Economic and Clinical Health Act (HITECH), enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA).
This toolkit provides an overview of the HIPAA Privacy, Security and Breach Notification Rules with which almost all physicians must comply. At their core, these rules simply implement longstanding physician commitments to protect the confidentiality of their patients’ medical information and maintain open physician-patient communications. However, the specificity of the requirements goes well beyond traditional, self-evident obligations, and violations can result in serious penalties. Thus, physicians need to understand these rules and participate in a formal compliance plan designed to ensure all the requirements are met. Physicians should also note that HIPAA is considered a “floor,” meaning, states may have requirements that go above and beyond what the federal government requires. This toolkit is focused on the federal mandates.
In a nutshell, these three core compliance areas include:
1. The Privacy Rule
The Privacy Rule restricts covered entities’ and business associates’ use and disclosure of an individual’s “protected health information” (PHI). Physicians who transmit PHI electronically in a HIPAA Standard Transaction, such as by filing electronic claims or checking eligibility electronically even if they are using a third party such as a billing service or a clearinghouse, are “covered entities,” and bound by HIPAA. “Business associates” include those persons and companies that physicians hire to help their practice and that have access to their patients’ PHI, such as billing services, attorneys, accountants and consultants. “Protected health information” means individually identifiable information that is held or transmitted by a covered entity or business associate in any form or media—whether electronic, paper,
or oral, that relates to the past, present, or future physical or mental health of an individual, health care services, or payment for health care. The Privacy Rule also provides for “individual rights” such as a patient’s right to access their PHI, restrict disclosures, request amendments or an accounting of disclosures and their right to complain without retaliation.
2. The Security Rule
The Security Rule requires covered physician practices to implement a number of what are known as “administrative, technical, and physical safeguards” (described further on page 14) to ensure the confidentiality, integrity, and availability of electronic PHI. “Electronic PHI or ePHI” refers to all individually identifiable health information a covered entity or business associate creates, receives, maintains or transmits in electronic form. The Security Rule does not apply to PHI transmitted orally or in paper form.
3. The Breach Notification Rule
The Breach Notification Rule requires covered physician practices to notify affected individuals, the Secretary of the U.S. Department of Health & Human Services (HHS) and, in some cases, the media when they discover a breach of a patient’s unsecured PHI.
What should Medical billing specialist should do regarding HIPAA
• Do not even communicate patient data to a colleague unless the individual has to access the data.
• Make sure that you transmit approved patient data to another individual in private and not in the classroom or in a conversation region.
• Remove data from faxes, copiers and printers instantly. Please instantly receive the data at the printer if you are printing the patient data.
• Do not use the name of the patient when talking to a colleague about the patient data, because others may overhear your discussion.
• Provide the least quantity of data for the patient to leave a message. Just say, “Call the office of Dr. X.” Do not say, “Call Dr. X’s office for your Urine test results.”
• Do not leave data to patients in a desk.
• Hide patient data when someone comes to your desk.
• Medical data for a patient can not be disclosed unless a patient’s written consent is provided, unless medical information is summoned.
• You have no right, regardless of the circumstances, to ignore HIPAA.
• Don’t post that a patient has signed a submission form to let another individual share the patient’s health data. Always check whether the form signed is in the file.
