The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

5 main components of HIPAA

Title I
Title II
Title III
Title IV
Title IV

Title I: HIPAA Health Insurance Reform.

Title I protects health insurance coverage for individuals who lose or change jobs. It also prohibits group health plans from denying coverage to individuals with specific diseases and preexisting conditions and from setting lifetime coverage limits.

Title II includes the following HIPAA compliance requirements:

  • National Provider Identifier Standard

    .
    • Each healthcare entity, including individuals, employers, health plans and healthcare providers, must have a unique 10-digit National Provider Identifier number, or NPI.

  • Transactions and Code Sets Standard.

    • Healthcare organizations must follow a standardized mechanism for electronic data interchange (EDI) in order to submit and process insurance claims.

  • HIPAA Security Rule.

    • The Security Standards for the Protection of Electronic Protected Health Information (ePHI) sets standards for patient data security.

    HIPAA Privacy Rule.

    Officially known as the Standards for Privacy of Individually Identifiable Health Information, this rule establishes national standards to protect patient health information.

  • HIPAA Enforcement Rule.

    • This rule establishes guidelines for investigations into HIPAA compliance violations.

Title III: HIPAA Tax-Related Health Provisions.

Title III includes tax-related provisions and guidelines for medical care.

Title IV: Application and Enforcement of Group Health Plan Requirements.

Title IV further defines health insurance reform, including provisions for individuals with preexisting conditions and those seeking continued coverage.

Title IV: Application and Enforcement of Group Health Plan Requirements.Title IV further defines health insurance reform, including provisions for individuals with preexisting conditions and those seeking continued coverage.

5 main components of HIPAA

The HIPAA Privacy Rule protects all individually identifiable health information that is held or transmitted by a covered entity or a BA. This information can be held in any form, including digital, paper or oral.

PHI includes but is not limited to the following:

  • A patient’s name, address, birth date, Social Security number, biometric identifiers or other personally identifiable information (PII);
  • An individual’s past, present or future physical or mental health condition; – any care provided to an individual; and
  • Information concerning the past, present or future payment for the care provided to the individual that identifies the patient or information for which there is a reasonable basis to believe could be used to identify the patient.

PHI does not include the following:

  • Employment records, including information about education, as well as other records subject to or defined in the Family Educational Rights and Privacy Act (FERPA); and
  • De identified data, meaning data that does not identify or provide information that could identify an individual — there are no restrictions to its use or disclosure.

Requirements

  A privacy official, such as a chief privacy officer (CPO), must be appointed who is responsible for developing and implementing policies and procedures at a covered entity.

   Employees, including volunteers and trainees, must be trained on policies and procedures.Appropriate administrative, technical and physical safeguards must be maintained to protect the privacy of PHI in a covered entity.

  A process for individuals to make complaints concerning policies and procedures must be in place at a covered entity.

   If PHI is disclosed in violation of its policies and procedures, a covered entity must mitigate — to the furthest extent actionable — any harmful effects.

Permitted Uses and Disclosures

  • Disclosure to the individual (if the information is required for access or accounting of disclosures, the entity MUST disclose to the individual)
  • Treatment, payment, and healthcare operations
  • Opportunity to agree or object to the disclosure of PHI
  • Limited dataset for research, public health, or healthcare operations
  • An entity can obtain informal permission by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object
  • Incident to an otherwise permitted use and disclosure
  • Public interest and benefit activities—The Privacy Rule permits use and disclosure of PHI, without an individual’s authorization or permission, for 12 national priority purposes

1. When required by law
2. Public health activities
3. Victims of abuse or neglect or domestic violence
4. Health oversight activities

5. Judicial and administrative proceedings
6. Law enforcement
7. Functions (such as identification) concerning deceased persons
8. Cadaveric organ, eye, or tissue donation

9. Research, under certain conditions
10. To prevent or lessen a serious threat to health or safety
11. Essential government functions
12. Workers’ compensation

HIPAA Security Rule

To comply with the HIPAA Security Rule, all covered entities must:

   Ensure the confidentiality, integrity, and availability of all e-PHI

   Detect and safeguard against anticipated threats to the security of the information

   Protect against anticipated impermissible uses or disclosures that are not allowed by the rule

  Certify compliance by their workforce