The Health Insurance Portability and Accountability Act of 1996 was established with the intent to improve the overall efficiency of the health care system in the United States. The law was originally created to simplify and improve the complex and costly health insurance system. The first major piece of HIPAA to impact the healthcare industry was for Electronic Transactions such as billing, payment and other transactions within the healthcare system.

But, with the widespread use of computers, the Internet, and electronic billing in the health care industry over the last several years, HIPAA requirements grew to include new, far-reaching requirements to protect the Privacy and Security of patient health information. There are yet other additional components to HIPAA that will become law over the next several years.

Key Parts of the Law

The law (HIPAA) requires the United States Department of Health and Human Services (DHHS) to develop and adopt common standards and requirements for Privacy, Security and other parts of the law, including standards that will affect the health care industry in the future. Some of the better-known parts of HIPAA are briefly described below that immediately impact health care organizations.

Privacy

HIPAA requires that patient medical records and other protected health information be kept private and confidential. Under HIPAA, individuals now have significant rights to understand and control who accesses their personal health information and how their information is used.

Health care providers and health plans are required to create privacy-conscious business practices, which include the internal protection of medical records, employee privacy training, implementation of privacy policies and the designation of a privacy officer, or internal HIPAA Administrator.

All organizations are required to comply with HIPAA Privacy requirements by April 14, 2003.

Security

Under HIPAA, all organizations that record, maintain, or transmit personal health information are required to ensure that all patient information is kept confidential, secure, and readily available.

With the healthcare industry's increased reliance upon computers, software programs and the Internet, it has become critical to protect and secure computer systems that contain or transmit protected health information from the increasing number of computer-based security threats.

HIPAA security requirements also require organizations to protect the physical security of personal health information, through policies, procedures and training.

At a minimum, health care organizations must conduct a full security risk assessment and develop a comprehensive security plan to protect their information. The final rule for HIPAA Security is expected no later than the 2nd quarter of 2003.

Electronic Transactions

HIPAA regulations require that all health care organizations that conduct any type of electronic transactions for submitting insurance claims and other related administrative transactions, must conform to a new electronic transaction standard format.

The new format simplifies and standardizes over 400 different types of EDI formats currently used in the healthcare industry, and establishes standard data content, codes and formats.

\Healthcare organizations were required to meet the final Electronic Transaction rule by October 16, 2002. Many organizations were able to file an extension prior to this deadline, granting them until October 16, 2003 to comply.

Who Must Comply?

The requirements outlined by HIPAA are far-reaching. All healthcare organizations that transmit and maintain electronic health information must comply. This includes all health insurance companies, healthcare clearinghouses, and healthcare providers including physician offices, as well as any other business, professional, or entity that maintains or transmits any type of personal health information.

If a healthcare provider performs any computer or electronic functions in his or her practice (e.g. billing, eligibility checks, referral authorization, financial transactions), he or she is a covered entity under HIPAA and must comply with the Privacy, Security and Electronic Transaction standards.

If the provider is a billing company or other entity that performs various functions on the provider's behalf, the provider is still considered to be a covered entity under HIPAA.

HIPAA Enforcement

The Dept. of Health and Human Services (DHHS) has delegated enforcement of HIPAA to the DHHS Office for Civil rights (OCR). Among its various responsibilities, the OCR is responsible for investigating complaints, conducting compliance surveys and referring criminal prosecution.

The penalties for non-compliance range from a minimum of $100 per violation to a maximum of $250,000 and 10 years in prison.