In 1996, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) primarily to protect individuals and their personal health information (PHI) contained in medical records. HIPAA applies to all healthcare providers and providers of services that include the transmittal of sensitive health information. It also applies to third parties and non-institutional entities involved in healthcare transactions such as billing, coding and claims processing. Regulatory compliance with HIPAA policies and procedures is an absolute necessity for all medical organizations and providers.
Protected Health Information (PHI)
All entities handling protected health information (PHI) must comply with lengthy and complicated regulations that set forth HIPAA policies and procedures. Noncompliance can result in stiff penalties, including fines and imprisonment. The fines imposed depend on the nature of the offense and whether the provider takes satisfactory corrective actions.
The penalties for HIPAA violations cascade to correspond with the extent of noncompliance. The Department of Justice handles criminal violations while the Office for Civil Rights enforces civil actions. Noncompliance typically results in a thorough investigation, notification, and a timeframe to take corrective action. Punishment for noncompliance may result in fines ranging from $100 to millions. Criminal offenses may result in imprisonment for a term of one to 10 years.
HIPAA Policies and Procedures
HIPAA policies and procedures checklists may help with the initial steps. This resource guides healthcare providers and organizations through the process of creating regulatory policies, applying timelines and assigning accountability for individual tasks.
The U.S. Department of Health and Human Services dictates that covered entities and organizations maintain written documentation of HIPAA policies and procedures. They must also make this documentation available for any associates responsible for their implementation. These entities and covered organizations must maintain written business associate agreements with third-party vendors to ensure that they are HIPAA compliant. All healthcare providers and organizations must have policies in place to safeguard the PHI of patients, and they must perform routine internal audits to modify procedures as necessary to maintain compliance.
HIPAA’s Three Main Components
HIPAA comprises three main components. Each complements the others and provides foundational integrity for activities across the healthcare industry.
These three components are titled . . .
- Administrative Simplification,
- Medicaid Integrity Program.
While HIPAA policies and procedures demand compliance with all three, the administrative simplification component applies directly to the privacy and security of PHI.
HIPAA Administrative Simplification
The Administrative Simplification regulations set forth standard security, privacy and transactional codes across the healthcare industry. Each has its requirements to protect individuals and their sensitive medical information.
This particular provision contains four major parts:
The transactions element institutes industry standards for electronic transactions along with external medical data. This provision also institutes benchmarks for unique employer and National Provider Identifiers. Of course, the security component refers to the way sensitive medical information must be safeguarded, both physically and electronically. The privacy portion establishes individual privacy rights and offers a modicum of control over how personal health data is used, protected and disclosed
A healthcare compliance consultant, well-versed in all aspects of HIPAA policies and procedures, may assist in the implementation of HIPAA policies and procedures. A proactive approach saves time and money while mitigating the risk of noncompliance. Knowing and understanding what the HIPAA laws are all about is the first step toward compliance.