| Q:
As a health care provider what sections of HIPAA apply to me?
Created: December 27,2002
Last Updated: June 10, 2003
A: Most of the HIPAA regulations
that are of concern to health care providers are found in Title II, the
Administrative Simplification Compliance Act. Currently, Title II has
three major rules, all contain requirements that pertain to health care
providers. Below are high level overviews of each of the rules and some
of their major requirements.
Electronic Transaction Rule
(Effective October, 2002 -
extensions available until October 2003)
This rule is intended to streamline
the processing of health care claims, reduce the volume of paperwork and
provide better service for providers, insurers and patients. The new standards
establish standard data content, codes and formats for submitting electronic
claims and other administrative health care transactions.
Major Requirements
- Health care providers that
submit insurance claims electronically must have systems that transmit
insurance claim data according to the defined transaction standard.
- Health care providers that
submit insurance claims electronically must have systems that use approved
code sets (i.e. ICD-9, CPT).
Health Information
Privacy Rule
(Effective April, 2003)
This rule is intended to protect
the confidentiality of medical records and other personal health information.
The rule limits the use and release of individually identifiable health
information; gives patients the right to access their medical records;
restricts most disclosure of health information to the minimum needed
for the intended purpose; and establishes safeguards and restrictions
regarding disclosure of records for certain public responsibilities, such
as public health, research and law enforcement.
Major Requirements
- Health care providers must
establish formal privacy policies as to the personal health information
of their patients.
- Health care providers must
communicate these policies to their patients.
- Health care providers should
attempt to limit employee access to personal health information to what
is necessary to complete their job functions.
- Health care providers must
implement reasonable minimum necessary policies and procedures that
limit how much protected health information is used, disclosed, and
requested for certain purposes.
- Health care providers must
have in place appropriate administrative, technical, and physical safeguards
that protect personal health information from incidental uses or disclosures.
- Health care providers must
allow patients to review and request copies of their personal health
information.
- Health care providers must
obtain satisfactory written assurances from their business associates
that the business associates will appropriately safeguard the protected
health information it receives or creates on behalf of the provider.
Security Standards Rule
(Effective April 21,
2005)
The security standard
consists of the requirements that a health care entity must address in
order to safeguard the integrity, confidentiality, and availability of
its electronic data.
Major Requirements
- Health care providers
that store personal health information electronically must have systems
in place to control user access to such systems.
- Health care providers
that store personal health information electronically must have systems
in place to provide audit trails of user activity.
- Health care providers
that store personal health information electronically must have systems
in place to authenticate the integrity of data in said systems.
- Health care providers
that store personal health information electronically must have systems
in place to uniquely identify users, automatically logout users, and
require passwords.
- Health care providers
that store personal health information electronically must have systems
in place that use encryption or other access controls on local data
and data that is transmitted from one location to another.
|
