Every patient, caregiver, and medical professional has heard the term HIPAA, but few really understand what it means except “more paperwork to fill out and sign” and more “red tape. So that lends itself to the question, “what is HIPAA anyway?”
HIPAA is by definition the Health Information Portability and Accountability Act (www.hhs.gov/ocr/privacy) and was enacted in 1996. It is enforced by the Office of Civil Rights of the United States Government. It is a set of federal guidelines created to allow employees to take their medical insurance with them if they leave an employer, allow people access to medical insurance despite pre-existing conditions (under some conditions), and to establish privacy standards for a patient’s health information.
But wait, there’s more; The HIPAA Privacy Rule “protects the privacy of individually identifiable health information”, The HIPAA Security Rule “sets national standards for the security of electronic health information”, and the Patient Safety Rule, which protects “identifiable information being used to analyze patient safety events and improve safety.”
So, who has to comply with the HIPAA rules? Basically any medical provider that transmits patient information electronically, any company that pays for all or part of a patient’s health care, and any entity that handles a patient’s medical records. So, pretty much everyone that handles patient information.
While it may mean more work for some medical professionals, these acts and rules were instituted as a means of protection for the public and whether you love them or hate them, they are federally mandated and compliance is imperative.
We’ve very basically covered what HIPAA is, and who has to comply, but there seem to be so many rules to follow, how does a medical office have time to meet the needs of the patient when they spend so much time on making sure they are compliant?
Actually, once the safeguards are in place, so long as every employee knows how to handle the information correctly, it is pretty easy. Getting those safeguards in place can be time consuming and non-compliance can be costly.
Fines, lawsuits, and even jail time in some cases are among the penalties for non-compliance or outright violation of HIPAA rules. The penalties can be applied corporately or individually depending on the circumstances and a loss of revenue is certain for clinics and their staff who are found to be non-compliant. This further illustrates the need for a standard of practice in a medical office regarding the handling of individually identifiable health information.
Any medical office or facility should be compliant when they begin operating. However, those offices and practices that have been in business predating the Act were given deadlines to meet along the way. The American Recovery and Reinvestment Act of 2009, which is part of the HITECH Act provided that the Health and Human Services would provide for audits that ensure that all applicable businesses covered by these mandates be compliant. The Office of Civil Rights began a system of audits in November of 2011 to continue till December of 2012 that will perform “up to 150 audits to assess the privacy and security compliance”. This may sound like a way to trap offices that are not towing the line, but the opposite is true. The findings will be used to assess HIPAA compliance efforts, provide information on the best practices, risks and vulnerabilities that may not be commonly known or considered.
The “how” of HIPAA cannot easily be expressed in a quick overview given that it is such important information. The many variables of your inter office communications, technology used for charting, sharing information and billing demand that your specific needs be addressed when considering how to become HIPAA compliant and what that means for your office. There are many great resources that can help establish these details. HHS.gov has great articles and resources to explain the intricacies of this Act and all the bells and whistles that go with it.