HIPAA Understand the basics.

HIPAA is the acronym for the Health Insurance Portability and Accountability Act. Although HIPAA covers many things, physicians typically are most concerned with HIPAA’s Administrative Simplification provisions, and particularly the Privacy, Security and Breach Notification requirements. Since it was originally enacted, HIPAA has been amended and expanded several times as a result of new laws and regulations. The most sweeping change resulted from the Health Information Technology for Economic and Clinical Health Act (HITECH), enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA).

This toolkit provides an overview of the HIPAA Privacy, Security and Breach Notification Rules with which almost all physicians must comply. At their core, these rules simply implement longstanding physician commitments to protect the confidentiality of their patients’ medical information and maintain open physician-patient communications. However, the specificity of the requirements goes well beyond traditional, self-evident obligations, and violations can result in serious penalties. Thus, physicians need to understand these rules and participate in a formal compliance plan designed to ensure all the requirements are met.   Physicians should also note that HIPAA is considered a “floor,” meaning, states may have requirements that go above and beyond what the federal government requires.  This toolkit is focused on the federal mandates.

In a nutshell, these three core compliance areas include:  

1.  The Privacy Rule 
The Privacy Rule restricts covered entities’ and business associates’ use and disclosure of an individual’s "protected health information" (PHI). Physicians who transmit PHI electronically in a HIPAA Standard Transaction, such as by filing electronic claims or checking eligibility electronically even if they are using a third party such as a billing service or a clearinghouse, are “covered entities,” and bound by HIPAA.  “Business associates” include those persons and companies that physicians hire to help their practice and that have access to their patients’ PHI, such as billing services, attorneys, accountants and consultants. "Protected health information" means individually identifiable information that is held or transmitted by a covered entity or business associate in any form or media—whether electronic, paper,
or oral, that relates to the past, present, or future physical or mental health of an individual, health care services, or payment for health care. The Privacy Rule also provides for “individual rights” such as a patient’s right to access their PHI, restrict disclosures, request amendments or an accounting of disclosures and their right to complain without retaliation.

2.  The Security Rule 
The Security Rule requires covered physician practices to implement a number of what are known as “administrative, technical, and physical safeguards” (described further on page 14) to ensure the confidentiality, integrity, and availability of electronic PHI. "Electronic PHI or ePHI" refers to all individually identifiable health information a covered entity or business associate creates, receives, maintains or transmits in electronic form. The Security Rule does not apply to PHI transmitted orally or in paper form.

3.  The Breach Notification Rule 
The Breach Notification Rule requires covered physician practices to notify affected individuals, the Secretary of the U.S. Department of Health & Human Services (HHS) and, in some cases, the media when they discover a breach of a patient’s unsecured PHI.