What Is HIPAA Law in Healthcare and What Does It Regulate?
The Health Insurance Portability And Accountability Act (HIPAA) was signed into law in the year 1996, by President Bill Clinton. It is a legislation which provides security provisions and data privacy, in order to keep patients’ medical information safe. The act contains five titles, or sections, in total:
- HIPAA Title I aims to protect coverage of health insurance for those who have changed or lost their jobs. It prevents group health plans from refusing to cover individuals who have pre-existing diseases or conditions, and prohibits them from setting limits for lifetime coverage.
- HIPAA Title II aims to direct the United States Department Of Human Services and Health in order to standardize the processing of electronic healthcare transactions nation-wide. It requires the organizations to implement safe electronic access to the patients’ health data, remaining in compliance with the privacy regulations which were set by the HHS.
- HIPAA Title III is related to provisions which are tax-related, as well as general medical care guidelines.
- HIPAA Title IV defines a further reform in health insurance, including provisions for those who have pre-existing diseases or conditions, and individuals who are seeking continued coverage.
- HIPAA Title V includes provisions associated with company-owned insurance, and treatment of those who lost their citizenship for income tax reasons.
Most of the time, in IT circles, people who refer to HIPAA compliance mean adhering to the Title II. it is also known as ‘Administrative Simplification’ provisions, and includes following the HIPAA compliance requirements above:
- National Provider Identifier Standard. This requires that every single health care entity, like employers, individuals, healthcare providers and health plans, need to have a unique 10-digit provider identifier code – their NPI (National Provider Identifier).
- Transactions and Code Sets Standards. This orders organizations to follow a standard mechanisms for EDI (electronic data interchange), when processing or submitting insurance claims.
- HIPAA Privacy Rule. This rule aims to establish national standards that protect patients’ health information, make sure any individually identifiable information is safe.
- HIPAA Security Rule. This rule sets standards for patients’ data security as well.
- HIPAA Enforcement Rule. Lastly, this rule establishes the guidelines for investigating violations of HIPAA.
In the year 2013, HHS put in place the HIPAA Omnbius Rule, in order to implement a few modifications to the earlier version, in accordance with certain guidelines, which were set in 2009 by the HITECH Act. It concerns mostly the responsibility of business associates of the entities that are covered. This rule also makes change to the penalties for violations of HIPAA compliance, increasing them to a maximum of 1.5 million dollars per incident.
HIPAA violations can be very costly for a health care organization. First of all, the Breach Notification Rule, set in the omnibus, requires that the entities which are covered as well as any of their business associates notify patients that they are following a data breach. In addition to these costs, the organizations may encounter fines after the audits get conducted by the Office of Civil Rights (OCR). Providers may even face criminal charges for violation of such rules.
Organizations are able to lower the risk of regulatory action by taking practice in training programs for HIPAA compliance. The OCR offers six programs in total which aim to educate employees about the security and privacy rules. Many other training groups and consultancies offer programs, too. Providers may even create their own programs, encompassing other areas such as the current HIPAA policies, the HITECH Act and management processes from mobile devices and other certain applicable guidelines.
There is no official certification program for HIPAA compliance, but many training companies offer credentials which indicate the understanding of guidelines and regulations the act specifies.