HIPAA - the Health Insurance Portability and Accessibility Act
HIPAA stands for the Health Insurance Portability & Accountability Act of 1996 (Public Law 104-191), which amends the Internal Revenue Service Code of 1986. It is also known as the Kennedy-Kassebaum Act.
What does HIPAA call for?
HIPAA calls for sweeping changes in most healthcare transaction and administrative information systems.
The regulations are a comprehensive set of requirements for obtaining consent to use patient health care information, advising the patient of the patient’s rights to know the uses made of patient health care information, maintaining the confidentiality of patient health care information and insuring that each health care provider or health care provider organization has procedures and personnel designated to educate providers about and to properly maintain health care data in accordance with the regulations.
The regulations are extensive and complex. Specifically, this means:
· Standardization of electronic patient health, administrative and financial data
· Unique health identifiers for individuals, employers, health plans and health care providers
· Security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present or future
Who is affected?
All healthcare organizations. This includes all health care providers, physician offices, health plans, employers, public health authorities, EMS agencies, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations, and universities.
Compliance deadlines?
Most entities have 24 months from the effective date of the final rules to achieve compliance. The Transactions Rule was published on August 17, 2000, so the compliance date for that rule is October 16, 2002. The Privacy Rule was published on December 28, 2000, but due to minor glitch didn't become effective until April 14, 2001. Therefore, compliance is required for the Privacy Rule on April 14, 2003.
Meeting the requirements is expected to require a significant effort. Each EMS jurisdictional operational program needs to understand and be prepared comply with these regulatory requirements on or before the deadline.
Are there penalties?
HIPAA calls for severe civil and criminal penalties for noncompliance, including:
· fines up to $25K for multiple violations of the same standard in a calendar year
· fines up to $250K and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information.
Where can I learn more?
● Click here for a press release from CMS
● Click here for some additional frequently asked questions regarding HIPAA
● Click here for additional need-to-know facts on HIPAA
Here are a number of links that will provide additional information regarding HIPAA:
http://www.health.state.ny.us/nysdoh/medicaid/hipaa/faq.htm. The New York State Department of Health HIPAA page
http://cms.hhs.gov/hipaa. The Center for Medicaid and Medicare Services HIPPA page. Lots of information.
http://www.hipaaconsulting.com/ Includes a glossary of terms, news, timelines, and a HIPAA readiness assessment tool.
http://www.hipaadvisory.com provides excellent overviews of HIPAA standards, informative articles, and up-to-date news briefs.
http://www.hipaacomply.com/ includes links, news, timelines, discussion tools, legislation, and events.
http://www.olcsoft.com/hipaa_links.asp provides dozens of additional links and resources on HIPAA.
http://www.pwwemslaw.com - Page, Wolfberg & Wirth - the EMS Law Firm - have many items to assist your EMS Agency with HIPAA Compliance