OVERVIEW
HIPAA is the acronym for The Health Insurance Portability and Accountability Act of 1996
(Public Law 104-191), formerly the Kennedy-Kassenbaum Bill. Signed into law by President
Clinton, this legislation was designed to incrementally reform healthcare in the United
States. HIPAA is best known as the law that provides individuals and their families
continued health insurance coverage after leaving, or losing, a job. However, HIPAA has
evolved into a wide-reaching mandate geared toward assuring the privacy and security of
individually identifiable healthcare information and standardizing electronic healthcare
transactions. The primary objective of HIPAA is the overall reduction of healthcare
expenditures.
The HIPAA regulations apply to all healthcare
organizations that maintain or transmit health information electronically. This includes
all healthcare providers, from integrated delivery systems to private physician practices,
healthcare clearinghouses and health plans, collectively referred to as covered entities.
Compliance with the HIPAA regulations is not a one-time event but an on-going process that
requires continued monitoring and updating. Non-compliance can lead to substantial
criminal and civil penalties, which range from $100 per violation up to a maximum of
$25,000 for a single violation. Fines can range up to $250,000 and 10 years in prison for
wrongful disclosure with intent to sell information. Additionally, credentialing
authorities, such as the Joint Commission on the Accreditation of Healthcare Organizations
(JCAHO) and the National Commission on Quality Assurance (NCQA), are evaluating means of
integrating the HIPAA mandates into their evaluation processes.
It is critical to recognize that HIPAA is not
an information technology issue, but a management issue for all covered entities. There
are legal, regulatory, process, security and technology aspects to each rule. Therefore,
it would be unwise to believe the installation of information systems, singularly, would
achieve HIPAA compliance. Covered entities must analyze their processes and policies
relative to the regulations via a detailed gap analysis. Only after identifying
operational strengths and weaknesses can an optimal compliance plan specific to the entity
be constructed and implemented.
The Administrative Simplification portion of the HIPAA law presents
covered entities with uncertainties and will require activities that are anticipated to
equal, or surpass, those of Y2K. Administrative Simplification falls into the following
four broad sections:
Three of these categories, EDI Transactions and Code Sets, Unique
Identifiers and Privacy, have been approved by the Department of Health and Human Services
(DHHS) Secretary and have established compliance dates.
|