Health Insurance Portability and Accountability Act (1996) HIPPA
By Ugo Stephen, Culled from www.counseling.org
First, let’s get familiar with the acronyms. HIPAA stands for the Health Insurance Portability and Accountability Act (1996). HIPPA was enacted by the U.S. Congress in 1996. Those thoughtful people gave health professionals until April 14, 2003 to comply fully with all properties of the act. For those of you counting, that was seven years to get things in order. Lucky for you, with the help of this article, it will not take that long. The intent of this Act is to protect clients, reduce fraud, improve quality of health care, and set strict standards for how private information about clients is transmitted (the widespread use of electronic data transmissions made things faster but is considered risky; HIPAA, 1996).
Now, let us shift our focus to the materials included in HIPAA. In a snapshot, Title II of HIPPA is pertinent to us as care givers: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform, is broken into five rules. These rules include: The Privacy Rule; The Transactions and Code Sets Rule; The Security Rule; The Unique Identifiers Rule; and The Enforcement Rule.
The Privacy Rule Two of the Title II rules are of the most interest to us as providers: The Privacy Rule and The Security Rule. The Privacy Rule establishes regulations for the use and disclosure of PHI (HIPAA, 1996). PHI is Protected Health Information; generally, PHI is any information about health status, provision of health care, payment, and medical records (HIPAA, 1996). Basically, anything that identifies an individual. Ready for the specifics? The list reads as follows: name HIPAA for Dummies: A Practitioners Guide 309 address, name of relatives, name of employers, date of birth, telephone number, fax number, e-mail address, social security number, medical record/account number, health plan number, certificate/license number, any vehicle or serial number, URL, finger or voice prints, photographic images, and any other unique identifying code or characteristic (HIPAA, 1996). Which even means using the word “blonde” in an elevator could be a violation (as if talking about a client in an elevator isn’t bad enough). A common concern for providers is the terms in which information can, should, or must be disclosed. If your client requests their information you have 30 days to provide it. Also, by law a provider can be required to disclose information. For example, if child abuse is a concern with a client then your state child welfare agency requires some identifiable information. Give it to them, but limit what you provide to the minimal amount that still allows you to achieve your intended purpose. So now that you know that information can leave your office it is time to hear the catch. The Privacy Rule requires that you keep a record of your disclosures (HIPAA, 1996)
The Security Rule; the Security Rule is broken into three specific types of security safeguards: administrative, physical, and technical. For each of the three types the Rule identifies security standards and both required and addressable implementation specifications. Required specifications are a must and are expected to be followed down to the letter. The term addressable means there is some flexibility so that a clinic can evaluate how to best address the specifications with consideration to their unique situation (HIPAA, 1996).
Compliance is taken seriously by the United States Government. Just say the word “audit” and watch people sweat. As with any offense there comes fines and time behind bars. Compliance violations start with $100 fines and can go all the way up to $250,000 and 10 years in prison (HIPPA, 1996). Value your clients and do not ever consider compromising their privacy whether inadvertently or with intent for personal gain.