Thursday, February 13, 2014
Health Insurance Portability and Accountability Act (HIPAA) Compliance
What is the health insurance portability and accountability act? And how do you obtain compliance with it’s standards? If you have these questions, Medtrainer undoubtedly has the answers. It’s vitally important to stay up to date on HIPAA compliance for all medical care providers. Rules have recently changed, as adopted by the U.S. Department of Health & Human Services. These changes affect existing privacy, security and breach notification requirements.
The new rules came about due to changes in the Health Information Technology for Economic and Clinical Health Act, a part of the same law as the Electronic Health Records Incentive Program provided for Medicare and Medicaid.
As of September, 2013, all appropriately covered physician practices are required to update their HIPAA policies and procedures. Not doing so means you could be assessed fines, which are both time consuming and costly to address. Is your staff up to date on the new rules?
Doctors, dentists, and other health care providers all must update Business Associate Agreements and Notices of Privacy Practices. To do so requires skilled understanding about encryption electronic protected health information, and why this is important.
Updates aside, how skilled is your staff in HIPAA’s Administrative Simplification provisions, including the vital Privacy, Security and Breach Notification requirements? Since HIPAA was enacted, the rules have expanded and been amended due to new laws and regulations. While the most recent updates have incurred substantial changes, the most sweeping was an outgrowth of the Health Information Technology for Economic and Clinical Health Act, which was a part of the American Recovery and Reinvestment Act of 2009.
In short, HIPAA requires a thorough understanding of laws, regulations, and updates to the same in regard to health care privacy and administration.
HIPAA Privacy, Security and Breach Notification Rules enact the commitment to confidentiality that physicians legally must comply to regarding patients’ medical information. The rules also strive to maintain an open communication between doctor and patient.
The requirements of HIPAA go beyond traditional, common physician obligations that may seem self-evident to care providers. Often, physicians may feel they’ve met HIPAA requirements due to following standard, careful confidentiality. However, HIPAA’s more specific compliance areas are more rigorous than traditional standards. And, if violated, serious consequences can occur.
To avoid these consequences, medical staff of all kinds - doctors, dentists, pharmacy staff - must understand HIPAA rules, and carefully follow a formal and organized compliance plan. If you don’t have a plan, or don’t know where to start, the basics begin with educating yourself and your staff about all elements of HIPAA requirements.
And that’s just the beginning. Medical staff should realize that HIPAA is considered an important base line for compliance. But individual states can and do often have a variety of requirements that go above and beyond federal government requirements.
Needing support in these areas is common, even in regard to the three core compliance elements of HIPAA. After all, your medical staff is already likely very busy with patient care, and addressing day to day issues. Remaining committed to HIPAA in principal may very well be an integral part of your practice. But are you addressing all aspects of the recently updated HIPAA rules? Are you, and other staff members well versed in the main compliance areas of the revised and updated law?
First, there’s the privacy rule, which serves to restrict covered use and disclosure of each patient’s protected health information. The privacy rule is also balanced in such a way so that it allows the disclosure of health information necessary for patient care and other purposes. This means that physicians transmitting patient protected health information electronically, whether due to filing a claim or checking on health plan eligibility, are covered entities, covered and bound to follow HIPAA guidelines when using a third party service for billing or the accomplishment of other business practices. The business associates that medical offices hire to conduct services such as billing, insurance verification, accounting, and consulting services are all business associates who must adhere to HIPAA as well.
So what exactly is protected health information? It’s information that is individually identifiable and held or transmitted by a covered entity - a health care provider, health care plan, or a health care clearing office, or by a business associate - the service provider, in any form from electronic, to print, to verbal transmission. It can relate to past, present, or future individual physical or mental health care services and payments.
The privacy rule also covers an individual patient’s right to access protected health information, restricts certain disclosures regarding this information, and requests changes to it, or a full accounting of disclosures=. It protects patient rights to offer complaint without concern for retaliation.
The second main HIPAA compliance area is known as the security rule. The security rule means that a covered medical practice must implement certain specific administrative, technical, and physical safeguards in order to ensure the protected health information confidentiality and integrity. It also ensures the availability of the electronic data comprising individually identifiable protected health information, received, transmitted, or maintained in electronic form. It doesn’t apply to such information if it is transmitted verbally or on paper.
The third HIPAA compliance mainstay is the breach notification rule. This rule means that covered medical practices must notify the affected individuals, the Secretary of the U.S. Department of Health & Human Services, and, sometimes the media - if a breach of a patient’s protected health information should ever occur..
That’s a lot to contend with to be in compliance with basic HIPAA requirements. Compliance deadlines were in effect many years ago, but with changes to HIPAA, the obligations of medical practices have altered, impacting compliance, implementation, and participation in a health information exchange. After all, whenever a new business associate agreement is necessary, such as a new billing service hired, the medical practice must update and reevaluate HIPAA compliance plans. It’s not easy to stay on top of federal requirements. In fact, HIPAA’s Security Rule requires technical and non-technical reevaluations of both existing plans and the changes to existing privacy, security, and breach situations.
Many offices are not aware that the so-called final “HIPAA Omnibus Rule” implements the HITECH Act, the same law that created and required implementation of the Electronic Health Records Incentive Program under Medicare and Medicaid. These new HIPAA regulations have altered the very definition of breach to no longer include the “significant risk of harm,” but rather a “low probability” that protected health information may be compromised. This probability is determined by the type and extent of the protected health information involved, such as the types of patient identifiers and the likelihood of re-identification; who the unauthorized person was using the information or to whom it was disclosed; whether the protected health information was acquired or viewed, and the extent of risk to which the protected health information has been compromised.
It’s the law: all covered physician practices must update HIPAA procedures and policies, implementing changes by the required compliance date. Recent changes were to be compliant by September 23, 2013. Practices not compliant are not safe from required government audits that have been established to ensure that compliance.
In fact, the U.S. Department of Health and Human Services’ Office of Civil Rights requires the adoption of national standards for all electronic health care transactions, as well as the establishment of national identifiers for providers, for health plans, and for employers. This implementation of HIPAA standards has increased the use of electronic data interchange, and that usage will continue to greatly increase due to the provisions under the Affordable Care Act of 2010. And with this increase will come increased adoption requirements for HIPAA operating rules regarding covered transactions, a standard and specific Health Plan Identifier, and standard operating rules for electronic funds transfer, as well as for electronic remittance advice and claims.
Health plans will additionally be required to certify their compliance. Comply - and certify. That’s the new bottom line, and the act includes substantial penalties for failure.
So why put yourself or your practice at risk, when compliance education and creating your HIPAA compliance plan can be accomplished through thorough and simple online education offered by Medtrainer?
Our goal is to make your practice just as healthy as your patients, to help you thrive through specifically directed information, education, and training that creates compliance situations easily, and makes certification simple, today - and tomorrow.