Since our previous HIPAA entry exposed you to some of the shock value of the recent HIPAA violations, I assume you are checking back because you’re interested in how HIPAA may apply to your company. With this article, I wanted to provide a little foundation for HIPAA.
HIPAA is the acronym for The Health Insurance Portability and Accountability Act which was legislation passed in 1996. For you legislative purists, HIPAA was initially known as the Kennedy–Kassebaum Bill. But, yes, HIPAA has been around since 1996! I bet that, if polled, most medical or insurance privacy officers would tell you that HIPAA was enacted in the last few years.
Not only is HIPAA not new, it was also not written solely to provide punishment to medical practices that get lazy with their record keeping. It’s made up of five sections, of which only one, Title II, addresses items such as patient’s access, security, and privacy. Perhaps another day I will talk about the coding, automation, coverage, and standardization requirements of HIPAA, but not today.
The Department of Health and Human Services (HHS) enforces HIPAA, and its Office for Civil Rights (OCR) performs all the audits. Interestingly, in 2009 then-President Obama signed the American Recovery and Reinvestment Act of 2009. Contained therein, was the HITECH Act, which enabled the OCR to be funded by the very fines it levies and collects. Thus, there is little doubt that HIPAA investigations, enforcement, and fines are here to stay.
Understanding that HIPAA and its enforcement is here to stay, the next question is: “does it apply to us?” Most certainly, HIPAA does not apply to anyone who holds a medical record in their hand. But it does apply to Covered Entities such as: Health Care Plans and Clearinghouses (some may just call them the insurance side) and Health Care Providers (doctors, nurses, hospitals, those trained and licensed to provide medical care, etc.). And finally HIPAA applies to Business Associates (BA) (a party who is performing a function for a covered entity that has access to PHI, but is not their employee). So, if you are one of those folks, the HIPAA rules apply to you.
Who is, or may be, a BA will be the subject of the next HIPAA blog.