Healthcare is, perhaps, the most highly regulated industry in the United States. Healthcare is complicated. When considering the issue, it includes complex statues, judicial decision, lots and lots of federal rules, United States Department of Health and Human Services guidance documents, individual state’s Departments of Health regulations, and different standards of accreditation.
Yet the specter which looms the largest in the minds of hospital executives and General Counsel is the set of Privacy and Security Regulations known as HIPAA Health Insurance Portability and Accountability Act of 1996. Since its passing, huge amounts of money have been spent by Hospitals on HIPAA consulting, HIPAA lawyers, and other such precautions to make sure they are in compliance with these complex standards. HIPAA is incredibly cumbersome, outlined in the better part of 800 pages. Penalties for not being in HIPAA compliance can be up to $1.5 million. So, ensuring compliance is amazingly important. Just as flicking a light switch illuminates a room, obtaining a level of comprehension regarding the basics of HIPAA regulations can cure an organization’s constant worrying and provide some clear focus for how to go about ensuring compliance.
The HIPAA regulations are divided into two Rules: HIPAA Privacy and Security. HIPAA Security’s goal is to ensure that HIPAA privacy is in compliance by mandating standards that protect electronic health information of all types. The Privacy Rule is designed to prevent unauthorized use or disclosure of Protected Health Information PHI. PHI, which may be paper-based or digital, is defined in the Privacy Rule as information regarding treatment or requests for treatment which may be identified with an individual person by one or more of 18 identifiers name, social security number, etc..
Privacy is a regulation of exclusion; it ensures a patience right to privacy by not allowing PHI from being disseminated for things other than for the purposes of treatment, payment or operations of a healthcare provider or plan, unless it is explicitly authorized by a patient. Exceptions include emergencies, as defined, uses or disclosures required by law, and provision of PHI to third-party contractors whose work requires access to PHI. These contractors are known as Business Associates, and the Privacy Rule requires that they sign contracts known as Business Associate Agreements, in which they agree to follow the precepts of HIPAA in keeping the information confidential. After February 1, 2010 however, these Associates are required to abide by HIPAA, which means that even they must comply with the law’s requirements as though they were healthcare providers or plans.
Healthcare consulting groups and HIPAA lawyers are able to prepare Gap Analysis Reports that help to bring organizations into HIPAA compliance. The precepts are not complicated, at base: only use and disclose patient information for its proscribed purposes. A culture of privacy is already a pervading theme within the cultures of a majority of hospitals. As such, bringing organizations into compliance with these regulations can usually be done without greatly affecting the culture.
Laura Young frequently writes on all sorts of topics including how to bring your organization into healthcare compliance, or how to find a hipaa lawyer.