Laws for the secure and private transfer of individual's medical information
The nearly instantaneous flow of information is a defining variable of the information age. Many leading companies have established a benchmark of implementing flexible and effective new technologies into their business plan, and just now many small businesses have been able to get out ahead of this trend and implement their own solutions. While it's true some companies can use this technology better than others, in regards to healthcare information, the seamless flow of information can literally be the difference between life and death.
In August of 1996, United States President Bill Clinton, in an effort to promote secure transfer of patient information, signed into law the Health Insurance Portability and Accountability Act (HIPAA). At that time, HIPAA stated that the Secretary of Health and Human Services had to publicize official standards for the electronic exchange, privacy, and security of health-related information. It also stated that the Secretary of HHS had the responsibility of issuing regulations if the U.S. Congress didn't enact privacy and security standards by 1999. Three years later, HHS unveiled the official rules.
Table of Contents
- HIPAA Privacy Rule
- HIPAA Security Rule
- Electronic Transaction & Code Sets Standards
- National Identifier Requirements
- Enforcement & Penalties
HIPAA Privacy Rule
The HIPAA Privacy Rule, or the Standards for Privacy of Individually Identifiable Health Information, established protocols for many healthcare providers in regards to who has access to patient information. The privacy rule applies to health plans, health care agencies, and to any healthcare provider that transmits patient information electronically.
Individual and group medical plans that provide or pay the cost of medical care are covered by HIPAA. These plans include health, dental, vision, prescription drug insurers, health maintenance organizations (HMO), Medicare, Medicaid, and other healthcare insurance providers.
The following information is protected under HIPAA's Privacy rule:
- An individual's complete history of their physical and mental health conditions.
- The treatment or provision the individual has access to.
- An individual's payment information for said health care.
The Privacy Rule is administered by the Office for Civil Rights.
The more seamless the transfer of data is, the better it works for business. Unfortunately, there are entities out there looking for opportunities to intercept this information for their own, often nefarious, purposes. No where is data more personal, than in the health care industry.
HIPAA's Security Rule, or Security Standards for the Protection of Electronic Protected Health Information, specifies a series of administered, physical, and technical safeguards for covered parties to guarantee the integrity, real-time availability, and confidentiality of protected electronic healthcare information.
The Security Rule is administered by the Centers for Medicare and Medicaid Services (CMS).
The standardization of electronic transactions is important for the efficiency of the care being provided to patients. With the standardization rules set forth by HIPAA, each health care provider has to adhere to the same set of protocols as other providers do to ensure the transferred financial and medical information is easily deciphered by the health care provider. HIPAA sets a standard and the operating rules for electronic funds transfer (EFT) and electronic remittance advice (ERA) and attachments for claims.
This section of HIPAA is administered by the Centers for Medicare and Medicaid Services.
As a part of the HIPAA law, health care providers are mandated to use unique Health Plan Identifiers (HPID). These are identifying numbers assigned to specific medical transactions. For example, the numeric code for an allergy test is the same from one provider to another. This level of standardization allows providers to avoid the pitfalls that come with deciphering what care is to be provided as well as the act of billing the services that have been received.
Like the transaction code standardization, the identifiers are administered by the Centers for Medicare and Medicaid Services.
Every law needs a ruling entity. HIPAA is no different. In order rules of the HIPAA law to work, the Enforcement Rule is in place for dedicated checks and balances. Currently the Centers for Medicare and Medicaid Services enforces the HIPAA Security Rule and the Rules covering the standardization of information, while the Privacy concern is handled by The Office of Civil Rights.
To date, the implementation of Health Insurance Portability and Accountability Act standards have substantially increased the use of electronic data interchange within the medical industry. Provisions in play under the Affordable Care Act of 2010 will increase these electronic interchanges and include further requirements to take into account the basics of the initial act.
Additionally, as a part of the Affordable Care Act of 2010, health plans will be required to certify their compliance. The Act provides for crippling penalties for failures to certify or comply with the new standards and operating rules. These penalties include:
Penalties for General Violations of HIPAA:
- Each violation: A $100 penalty per violation, with no more than $25,000 in one year for all violations of identical requirements.
Penalties for the Wrongful Disclosure of Individually Identifiable Health Information:
- For wrongful disclosure: $50,000 penalty, imprisonment for not more than one year, or both.
- For wrongful disclosure made under false pretenses: $100,000 penalty, imprisonment for not more than five years, or both.
- For wrongful disclosure made with the intent to sell information: $250,000 penalty, imprisonment of not more than 10 years, or both.
As well as the penalties listed above, covered entities that fail to comply with HIPAA regulations will likely be subject to a loss of credibility, which will likely result in the loss of public trust and revenue.
For more information about HIPAA or our role in your data security, call us today at 502.292.5097. We can clarify about the specifics for HIPAA compliance and present secure data transfers for your medical practice.
What Our Clients Say
ISC’s Security Risk Assessment helped our Practice meet our HIPPA Compliance and Meaningful Use requirements and the Advanced Security Assessment and Network Security solutions provide ongoing protection for our Network and Patient Data.
ISC’s IT Consulting, Sourcing and Managed Support Services provides a Total Solution for all our IT needs. They met with us to understand our business, budget and IT requirements. They implemented the solution and their Managed IT Services provide ongoing protection for our supply chain. This allows us to focus on growing our business and serving our customers’ needs. We have peace of mind that our IT is supported and our customer data is protected.
It wasn't until someone called to see if we had an IT service provider that I realized I have used the services of ISC for over 20 years and have relied on their expertise. In a previous job, ISC managed our SQL server and POS system for 30+ stores in 5 states plus our office network. In my present job, they have been there when we expanded from a 3-person office to over a dozen employees across 4 states. We are able to collaborate using Microsoft Office 365 and a virtual private network. The staff is experienced, knowledgeable and extremely helpful. I wouldn't trust anyone else.
As a mid-size manufacturer of custom woodwork our operations are large enough to be complex but too small to justify an internal IT staff. ISC has been an ideal fit for us. Capable, responsive, cost-efficient, and they share our customer-centric values. ISC allows us to focus on what we do best with the peace of mind knowing our IT infrastructure is in good hands.
I am pleased to strongly recommend the team at ISC Kentucky. For years we attempted to support our IT hardware and software installation/upgrade needs internally with limited success. The ISC team effectively assessed our current state, established and executed an improvement plan that covered immediate needs AND projected risks, and have consistently supported our ongoing needs…largely via remote access…in a timely and efficient manner. Partnering with ISC has been clearly one of the best decisions we’ve made for our business…so we can focus on the business.
I could not be more satisfied with ISC Kentucky. They were vital in advising, implementing, and supporting my family medicine practice network. Every time I have needed network support their service was prompt and courteous. I feel that I am a valued customer and they have my best interests in mind.
We have been using ISC Kentucky for almost 2 years. We were in the market looking for an IT company to take care of our needs as a skilled nursing home. One of our board members uses ISC and gave us James Naive as a contact for them. We have been more than satisfied with their work and their knowledge of what we needed and when we needed it. They came in and looked around our building assessed what we had and developed a plan for us to follow to get where we needed to be. I rest much more comfortably knowing that our IT solutions are in their hands. I would highly recommend ISC Kentucky to anyone looking to solve their IT problems. ISC have professional and knowledgeable staff that have handled any situation that we have had in the last 2 years.
As a company we brought in ISC to handle the equipment at our office and 16 locations. They have provided excellent customer service on all levels. They are quick to respond and to resolve any issues. Their office and service staff is efficient, knowledgeable and professional. ISC staff will be instrumental in our planning for the next year. They have been a real asset to our company. We appreciate the relationship and service they have provided.