What is HIPAA?
HIPAA is a very well-known acronym in the healthcare industry these days. It consists of old-millennium ideas yet it brings new-millennium realities. A few people love it, a fair amount of people understand the value it brings, and even more people dislike it. So, what is all the fuss about?
HIPAA is the Health Insurance Portability and Accountability Act of 1996 and is also known as Public Law 104-191 and the Kennedy–Kassebaum Bill, named after its creators, Senators Edward Kennedy (D-MA) and Nancy Kassebaum (R-KS). This legislation was passed by the Congress, signed into law by Bill Clinton, and became effective on August 21, 1996. The overall goal of HIPAA is to provide insurance portability, fraud enforcement, and administrative simplification for the healthcare industry (Harold & Beaver, 2014).
HIPAA was formed out of the growing concerns about keeping healthcare information private, the need to consolidate nonstandard healthcare data and transaction formats, as well as the general consensus to streamline healthcare operations and reduce the cost of providing healthcare services. This legislation has been a long time coming for the healthcare industry — an industry known to be behind the times from a technology perspective. In fact, there have been numerous, well-known stories of privacy and security breaches in the healthcare industry. As listed in the Medical Privacy Stories published by the Health Privacy Project,* here are just a few of the highlights:
- A hacker compromised the medical records, health information, and Social Security numbers of over 5000 medical center patients.
- E-mails, some of them containing sensitive records, were sent out to the wrong people, affecting 858 online members.
- Thousands of medical records en route to be destroyed fell out of a vehicle, causing them to be blown throughout Mesa, AZ.
- A computer disk containing the names of 4000 people who tested positive for HIV was sent to two newspapers.
A country singer’s medical records were sold to tabloid magazines by a hospital employee for $2610. The Administrative Simplification section (Title II, Subtitle F) of HIPAA — the portion of HIPAA that we will explore in this book — was designed to help decrease the costs of healthcare administration with the goal of spending that money instead on increasing the quality of healthcare. This includes standardizing on electronic transactions, national identifiers, and ensuring the privacy and security of confidential health information.
The Department of Health and Human Services (HHS) is the organization responsible for establishing the HIPAA standards. In February 2003, HHS Secretary Tommy G. Thompson concisely summarized HIPAA Administrative Simplification by stating the following upon final release of the HIPAA Security Rule: Overall, these national standards required under HIPAA will make it easier and less costly for the healthcare industry to process health claims and handle other transactions while assuring patients that their information will remain secure and confidential. The security standards in particular will help safeguard confidential health information as the industry increasingly relies on computers for processing healthcare transactions.
As published in the final Privacy Rule, HHS states that HIPAA Administrative Simplification has three major purposes:
- To protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use of that information
- To improve the quality of healthcare in the United States by restoring trust in the healthcare system among consumers, healthcare professionals, and the multitude of organizations and individuals commit- ted to the delivery of care
- To improve the efficiency and effectiveness of healthcare delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, and individual organizations and individuals healthcare information, referred to as the Privacy Rule and the Security Rule; standardized electronic transactions and code sets, referred to as the
Electronic Transactions and Code Sets Rule; and national identifiers, referred to as the Unique Identifier Rules. In this book, we provide a brief overview of the Electronic Transactions and Code Sets Rule, which you can find later in this chapter, and in-depth coverage of the Privacy and Security Rules throughout the rest of the book. Moving forward, unless noted oth- erwise, our references to HIPAA will focus solely on Administrative Simplification and, more specifically, on the Privacy and Security Rules.
What HIPAA Covers
In addition to the various transactions and code sets standards, HIPAA mandates protection of various forms of confidential health information referred to as protected health information (PHI). PHI is considered any oral or recorded information relating to any past, present, or future physical or mental health of an individual, provision of healthcare to the individual, or the payment for the healthcare of that individual. With very few exceptions, oral or recorded PHI consists of individual health information that is spoken, written, or stored in hard copy or electronically in any way. A similar, more- specific term that relates to this type of information is individually identifiable health information (IIHI).
Basically, IIHI identifies or can be used to reasonably identify an individual. There are 18 identifiers defined by HIPAA that can be used to identify an individual, such as name, Social Security number, and medical record number. These 18 identifiers are collectively referred to as PHI when used in activities covered by HIPAA. Information that has been “deidentified ” is not covered under HIPAA. We will go into more detail about PHI and IIHI in Chapter 5, where we cover the Privacy Rule in detail.
Organizations that Must Comply with HIPAA
Covered Entities Virtually the entire healthcare industry, as well as a significant number of organizations in other industries, is affected by HIPAA in one way or another. Large insurance companies to hospitals to self-insured employers to small physician practices are required to comply with HIPAA. These organizations are called covered entities (CEs).
There are three main categories of CEs:
- Healthcare providers: A healthcare provider can be an individual, a group, or an organization. An individual is a natural person licensed or authorized in some other way to perform or provide medical services, care, equipment, or supplies. A few examples include doc- tors, nurses, pharmacists, and physical therapists. A group is one that is typically made up of more than one person to provide patient care, including professional services such as billing and payment. For example, two physicians are practicing as a group by billing and receiving payments as a single entity. An organization is an entity composed of more than one person that is authorized to provide medical services, care, equipment, or supplies as part of their usual business. A few examples include hospitals, laboratories, pharmacies, nursing facilities, and health maintenance organizations (HMOs).
- Health plans: Generally speaking, these are individual or group plans that provide or pay for medical care. Examples include private and governmental health insurance issuers such as HMOs, PPOs, Medicare and Medicaid programs, as well as employer-sponsored health plans with coverage for 50 or more employees. Health plans do not include workers’ compensation programs, property and casualty programs, or disability insurance programs, even though they may pay healthcare costs.
- Healthcare clearinghouses: These are public or private entities that process or facilitate the processing of nonstandard data elements of health information into a standard format, or convert from a standard format to one that is nonstandard, for electronic transactions. A few examples include billing services, repricing companies, value-added networks, and even some banks.