Introduced in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is widely used for safeguarding the privacy of health information. In this first installment of a three part series, the history and background of HIPAA are discussed, as excerpted from the book authored by HCC CEO Bob Cimasi, entitled, Healthcare Valuation: The Financial Appraisal of Enterprises, Assets, and Services, to be published by John Wiley & Sons later this year, and the recent amendment are introduced. Part II of the series, due next month, will address the implications of recent changes to HIPAA that have resulted from the transition of patient information to an electronic format and the continued integration of providers, while, Part III assesses various compliance concerns and related privacy laws.
The Health Insurance Portability and Accountability Act (HIPAA) was signed into law on August 21, 1996, and encourages the development of health information systems, as well as regulating access to, and safeguarding the privacy of, individually identifiable health information.1 The final standards for HIPAA, created by the Department of Health and Human Services (HHS) were published on August 17, 2000.2 While HIPAA serves many purposes, it is most widely used for safeguarding the privacy of Protected Health Information (PHI), i.e., individually identifiable health information.3 This protection extends to information related to the “…past, present or future physical or mental health condition of an individual; the provision of healthcare services to an individual; or the past, present or future payment for the provision of healthcare to an individual.”4 The HIPAA Privacy Rule provides standards for the use and disclosure of PHI by covered entities, as well as rights for individuals to control how their PHI is used.5 Covered entities include such companies as, “…health plans, healthcare clearinghouses, and any health care provider who transmits health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted [HIPAA] standards.”6
Transactions by healthcare providers falling under the Privacy Rule include claims, benefit eligibility inquiries, referral authorization requests, and other transactions for which HHS has established particular standards.7 These transactions are covered regardless of whether they are performed by the healthcare provider, a billing service, or any other third party under contract with the provider.8 When a covered entity contracts with a third party entity to perform billing or other business associate activities, such as claims processing, data analysis, or utilization review, the covered entity must impose specific safeguards to protect PHI.9 Unintentional HIPAA violations carry fines of $100 per occurrence, up to $25,000 per year. However, intentional HIPAA violations carry criminal penalties that include fines of up to $250,000 and ten years in prison.10 Significantly, however, HIPAA does not provide for private rights of action for patients who were harmed by the dissemination of their PHI; but rather it provides patients with the option of filing a complaint with the HHS Office for Civil Rights (OCR) in the event of a violation that resulted in harm to the patient.11 The proper destruction of PHI is also protected under HIPAA.12
As the healthcare industry transitions to electronic transactions, the current version of the HIPAA standards that regulate the transmission of specific health care information, known as the Accredited Standards Committee X12 Version 4010/4010AI, have become increasingly less functional for the coding and transactional updates providers are currently required to accommodate (i.e., the coming ICD-10 transition). To rectify any inefficiency, HHS approved ASC X12 Version 5010,13 which improvements in Version 5010 include technical, structural, and data content requirements; transactional business standardization; data transmission specifications, and, delineation of various patient codes.14 The transition to HIPAA Version 5010 will likely affect many healthcare industry stakeholders, including providers, health plans, healthcare clearinghouses, and business associates that participate in electronic transactions, such as billing/service agents and vendors.15 According to a 2011 Medical Group Management Association report, 45 percent of practices would have to replace their practice management systems completely to manage Version 5010, and 50.3 percent of practices would need to install upgrades to accommodate Version 5010.16 See HC Topics article HIPAA Version 5010: What and When.
One of the most significant amendments to HIPAA was passed under the American Recovery and Reinvestment Act of 2009 (ARRA), signed into law February 17, 2009. The ARRA amended HIPAA’s health information privacy and security provisions, and created funding incentives for the widespread implementation of healthcare information technology, specifically electronic health records (EHR), through the Health Information Technology for Economic Clinical Health (HITECH) Act, a portion of the ARRA.17 For more information of HITECH see HC Topics Article Obama Signs HITECH Act for Healthcare IT.
The latest amendment to the HIPAA legislation was published on January 25, 2013 in a Final Rule from HHS and OCR, which may significantly affect business associates and their subcontractors. The Final Rule changes: (1) the definition of business associate under HIPAA; (2) the liability of business associates and subcontractors under HIPAA; and, (3) the level at which agreements between business associates and covered entities are scrutinized under HIPAA. Each of these changes and their potential impact on covered entities and their business associates will be discussed in Part II of the HC Topics HIPAA Series.
“Health Insurance Portability and Accountability Act of 1996” Pub. L. No. 104-191 (August 21, 1996).
“Health Insurance Reform: Announcement of Designated Standard Maintenance Organizations: Notice” Federal Register, Vol. 65, No. 160, August 17, 2000, p. 50373.
“Definitions,” 45 C.F.R. 160.103, (May 31, 2002), p. 701 ; “Health Insurance Portability and Accountability Act of 1996,” Pub. L. No. 104-191 (Aug. 21, 1996).
“Summary of the HIPAA Privacy Rule,” OCR Privacy Brief, United States Department of Health and Human Services, May 2003, p. 4, 9, http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf(Accessed 6/17/09).
“Uses and disclosures of protected health information: general rules” 45 C.F.R. § 164.502(e), October 1, 2003, p. 3; “Summary of the HIPAA Privacy Rule,” OCR Privacy Brief, United States Department of Health and Human Services, May 2003, p. 3, http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf (Accessed 6/17/09).
“Health Insurance Portability and Accountability Act, Sec. 262” Pub. Law 109-191 (August 21, 1996); “General penalty for failure to comply with requirements and standards” 42 U.S.C. § 1320d-5 (2010); “”42 U.S.C. § 1320d-7 (2010).
“Health Information Privacy: How to File a Compaint” Office for Civil Rights, U.S. Department of Health and Human Services, http://www.hhs.gov/ocr/privacy/hipaa/complaints/index.html (Accessed 9/26/12).
“Uses and disclosures of protected health information: general rules” 45 C.F.R. § 164.502(e), October 1, 2003, p. 3; “Summary of the HIPAA Privacy Rule” OCR Privacy Brief, United States Department of Health and Human Services, May 2003, p. 3, http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf (Accessed 6/17/09).
“New Health Care Electronic Transactions Standards: Versions 5010, D.0, and 3.0” Centers for Medicare & Medicaid Services, January 2010, http://www.cms.gov/ICD10/Downloads/w5010 BasicsFctSht.pdf (Accessed 11/29/11).
“Is Your Practice Ready for Version 5010” MGMA Connexion Supplement, October 2011, p. 9.
Centers for Medicare & Medicaid Services, January 2010.
“Statement of the Medical Group Management Association to the National Committee on Vital and Health Statistics Subcommittee on Standards: RE: HIPAA Version 5010 ” Medical Group Management Association, June 17, 2011, Englewood, CO: Medical Group Management Association, p. 5.
“American Recovery and Reinvestment Act of 2009,” Pub. L. No. 111-5 (Feb. 17, 2009).