HIPAA: Health Insurance Portability and Accountability Act
September 23, 2013 was HIPAA privacy and security deadline
The U.S Department of Health & Human Services (HHS) recently adopted new rules which make changes to existing privacy, security and breach notification requirements in what is often referred to as the final "HIPAA Omnibus Rule." These new rules stem from changes made under the Health Information Technology for Economic and Clinical Health (HITECH) Act which is part of the same law that created the Electronic Health Records (EHRs) Incentive Program under Medicare and Medicaid.
All covered physician practices must update their HIPAA policies and procedures and otherwise implement the changes required by these regulations no later than the September 23, 2013 compliance date. These new rules will mean physicians will need to update their Business Associate Agreements (BAAs) and their Notices of Privacy Practices (NPPs) and it will require they understand the importance of encryption electronic protected health information.
The AMA has a number of free resources to help physicians comply. These resources can be found below, some of which are also available for AMA PRA Category 1 Credit™. Login to the AMA Online Learning Center to access this free CME activity.
- AMA/HIMSS podcast, "Q & A: HIPAA’s Patient Access Requirement"
- AMA/HIMSS podcast, "The Nuts and Bolts of Achieving HIPAA Security Rule Compliance through Effective Risk Assessment"
- HIPAA privacy and security toolkit: Helping your practice meet new compliance requirements
- HIPAA Security Rule: Frequently asked questions regarding encryption of personal health information
- Sample Notice of Privacy Practices
- HIPAA Privacy Rights Request Form
- Sample Business Associate Agreement
Administrative Simplification in the Affordable Care Act
The Affordable Care Act (ACA) expands on provisions in HIPAA that support administrative simplification. These new requirements include operating rules for the HIPAA-named standards, a standard for electronic funds transfer, and a national health plan identifier. The follow is an article the goes into more detail about the continuing efforts in ACA to provide administrative simplification.
The following are highlights of some of the HIPAA-related topics.
To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, included Administrative Simplification provisions that required the Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions and code sets, unique health identifiers, and security. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. Consequently, Congress incorporated into HIPAA provisions that mandated the adoption of Federal privacy protections for individually identifiable health information.
Following the passage of HIPAA, two additional laws have been enacted that add requirements to HIPAA and strengthen various aspects of administrative simplification. These laws are:
- Health Information Technology for Economic and Clinical Health Act (HITECH) enacted as part of the American Recovery and Reinvestment Act of 2009 (ARRA)
Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
- Patient Protection and Affordable Care Act of 2010 (ACA)
ACA builds upon HIPAA with new and expanded provisions, including requirement to adopt operating rules for each of the HIPAA covered transactions; a unique, standard Health Plan Identifier; and a standard for electronic funds transfer. ACA requires that health plans certify their compliance with the standards and operating rules, and increases penalties for noncompliance.
The HIPAA Privacy Rule provides federal protections for personal health information held by physicians and gives patients an array of rights with respect to that information. While the Privacy Rule is intended to balance the rights of patients with the needs of physicians and others who need access to patient information (i.e., other providers and payers), physicians have found some of the requirements challenging to incorporate into their workflow. Nonetheless, physicians continue to place a high priority on ensuring patient information remains private.
The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information.
Increasingly, physicians are using smart phones, tablets, laptops, and other mobile devices to access protected patient information. Information on how physicians can secure these devices to avoid inappropriate access and disclosure of patient information can be found below.
The Transactions and Code Sets Final Rule, as required by HIPAA, was issued in August 2000 by HHS and named standard transactions to be used by "covered entities," defined as health care providers (including physicians), payers, and clearinghouses, when conducting specific administrative transactions electronically. For the compliance date for the first version of HIPAA standards, Version 4010, was October 2003 for most HIPAA covered entities. In 2009, HHS adopted Version 5010 to replace Version 4010, which was implemented by the industry on January 1, 2012.
ACA requires the Secretary of HHS to adopt operating rules for each HIPAA transaction. Operating rules are defined as "...the necessary business rules and guidelines for the electronic exchange of information that are not defined by a standard or its implementation specifications..." There are various deadlines associated with the different operating rules.
To ensure streamlined transitions to operating rule and standard transaction updates, unlike the previous move from the 4010 to 5010 version of HIPAA transactions, AMA has long advocated for pre-pilot testing of the future versions of the Health Insurance Portability and Accountability Act (HIPAA) standard transactions and operating rules prior to adoption. Such testing is crucial to ensure minimal physician practice disruption. As a result of AMA's effective advocacy, the Centers for Medicare and Medicaid Services (CMS) awarded a grant to the National Government Services to develop and pilot an end-to-end testing process through the End-to-End Testing Industry Collaborative Partner (ICP) work group, in which AMA participates. This process is intended to be used for all future operating rule and standard system updates, as well as the pending ICD-10-CM update.
The ICP over the past four months has reviewed end-to-end testing documents for use by payers, vendors and providers. Your feedback is requested on these documents. Access the CMS End-to-End Testing Web page at to provide feedback or obtain more information.
In addition, CMS has awarded a contract to Emdeon to perform pilot testing on the 6020 version of the Accredited Standards Committee X12 (ASC X12) standard transactions to determine the impact to the healthcare industry of moving to new standards. During this pilot testing, deficiencies or areas for potential transmission disruption will be identified and fixed, prior to adoption of the next version of standard transactions.
The U.S. Department of Health & Human Services (HHS) finalized rules in early 2014 that allow patients to obtain direct access to their completed test reports from labs by synchronizing CLIA and HIPAA privacy rules. Prior to this rule, a lab could only release completed test reports directly to a patient if the ordering provider expressly authorized the laboratory to do so at the time the test was ordered, or if state law expressly allowed for it. The rules do not change the role of providers in ordering tests and explaining test reports to patients. Under the HIPAA Privacy Rule, laboratories are required to provide patients with their completed test reports within 30 days of a request, but they will not be required to explain the results to patients. While patients can continue to get access to their laboratory test reports from their physicians, they will have a right to get access to the reports directly from HIPAA-covered laboratories. The effective date of these rules is October 6, 2014.
On February 16, 2006, HHS published a final rule that details the procedures for imposing civil money penalties on covered entities that violate any of the HIPAA Administrative Simplification Rules, including security, privacy, transactions, and code sets. Failure to comply with the requirements will result in criminal and monetary penalties. ARRA strengthened these penalties.