HIPAA

Privacy
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule is a Federal law that set national standards for how health plans, health plan clearinghouses, and most health care providers ( referred to as Covered Entities in the Rule) are to protect the privacy of a patient’s health information. Even though HIPAA requires health care providers to protect patient privacy, providers are permitted, in most circumstances, to communicate with the patient’s family, friends, or others involved in their care or payment for care.

A Covered Entity is permitted, but not required, to use and disclose Protected Health Information (PHI) , without an individual’s authorization, for the following purposes or situations: 1) to the Individual; 2) Treatment, Payment, and Health Care Operations; 3) Opportunity to Agree and Object (informal permission from individual for hospital of patients, to allow pharmacy to dispense a filled prescription to a person acting on behalf of the individual, etc.); 4) Incident to an otherwise permitted use and disclosure; 5) Public Interest and Benefit Activities (public health reporting, health oversight agencies, as required by law, etc.); and 6) Limited Data Set for the purposes of research, public health or health care operations.

The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information, and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety. 

To be HIPAA Privacy compliant, at a minimum, a physician practice should have:

• A written privacy policy, assuring that PHI is disclosed only as permitted by law
• A written Notice of Privacy posted in a public are of the practice and provided to all patients when they are first seen at the practice
• A procedure for documenting acknowledgement of privacy policies by patients
• A written policy and procedure for obtaining and handling authorizations for disclosures of PHI
• A written policy for handling revocation of authorizations
• A written medical record policy that includes safeguards to ensure patient privacy is maintained and assured
• A written policy regarding patient requests concerning PHI
• A written policy to handle patient complaints concerning PHI privacy
• A training program for all employees on its privacy policies and procedures
• A written policy for employee discipline for violation of practice privacy policies
• A written paper and electronic document retention and disposal policy
• A written policy to account for all disclosures of PHI
• A procedure for reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of PHI
• A designated Privacy Officer

Security
The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 were enacted to establish national standards for the security of electronic health care information.  This rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality of electronic protected health information. The standards are delineated into either required or addressable implementation specifications.
The American Recovery and Reinvestment Act of 2009, commonly known as the Stimulus Bill, signed into law on 2/17/09 by President Obama makes several significant changes to the protection of confidential health information mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its Privacy and Security Regulation. Although most of these changes take effect one year following enactment, 2/17/10, as noted below a few provisions have different effective dates.

• Patients must be notified of breaches involving unsecured PHI—effective 9/23/09
• Business Associates* will be subject to HIPAA’s security provisions and sanctions
• Patients may require that a provider not disclose certain services to health plans
• Providers using electronic health records (EHRs) must account for disclosures—effective date for current EHR users is 1/1/14 and for providers that acquire an EHR after 1/1/09, this provision is effective for a disclosure made on the later of 1/1/11 or the date the provider acquires the EHR.
• Providers who use EHRs must be able to provide a patient’s information in electronic format
• Enhanced enforcement and penalties –These enhanced penalties and enforcement rights take effect immediately.

*Business Associate - a person or organization, other than a member of the covered entity’s workforce, that perform certain functions or activities on behalf of, or provides certain services to (e.g.: claims processing, billing, data analysis), a covered entity that involve the use or disclosure of individually identifiable health information.

Coding and Transactions
On January 16, 2009, the Department of Health and Human Services (HHS) published two final rules to adopt updated HIPAA standards. 
In one rule, HHS is adopting X12 Version 5010 and NCPDP Version D.0 for HIPAA transactions. In this rule, HHS also adopts a new standard for Medicaid subrogation for pharmacy claims, known as NCPDP Version 3.0.  For Version 5010 and Version D.0, the compliance date for all covered entities is January 1, 2012. The compliance date for the Medicaid subrogation standard is also January 1, 2012, except for small health plans, which will have until January 1, 2013 to come into compliance.
In a separate final rule, HHS modifies the standard medical data code sets for coding diagnoses and inpatient hospital procedures by concurrently adopting the International Classification of Diseases, 10th Revision, Clinical Modification (ICD-10-CM) for diagnosis coding and the International Classification of Diseases, 10th Revision, Procedural Coding System (ICD-10-PCS) for inpatient hospital procedure coding. These new codes replace the current International Classification, 9th Revision, Clinical Modification, Volumes 1 and 2 and the International Classification , 9th Revision, Clinical Modification, Volume 3 for diagnosis and procedure codes respectively. The implementation date for ICD-10-CM and ICD-10-PCS is October 1, 2013 for all covered entities. 
National Provider Identifier
The National Provider Identifier (NPI) is a Health Insurance Portability and Accountability Act (HIPAA) Administrative Simplification Standard. The NPI is a unique identification number for covered health care providers. Covered health care providers and all health plans and health care clearinghouses must use the NPIs in the administrative and financial transactions adopted under HIPAA. The NPI is a 10-position, intelligence-free numeric identifier (10-digit number). This means that the numbers do not carry other information about healthcare providers, such as the state in which they live or their medical specialty. The NPI must be used in lieu of legacy provider identifiers in the HIPAA standards transactions.
As outlined in the Federal Regulation, The Health Insurance Portability and Accountability Act of 1996 (HIPAA), covered providers must also share their NPI with other providers, health plans, clearinghouses, and any entity that may need it for billing purposes.

The Office for Civil Rights, part of the Health and Human Services, has more information about HIPAA on its web site at:  http://www.hhs.gov/ocr/hipaa

http://www.hhs.gov/ocr/privacy/hipaa/administrative/index.html

http://www.cms.hhs.gov/SecurityStandard/

http://www.cms.hhs.gov/TransactionCodeSetsStands/02_Transactions
andCodeSetsRegulations.asp#TopOfPage

http://www.cms.hhs.gov/NationalProvIdentStand/