Chances are if you have been to a doctor’s office in the last fifteen years, you have heard the term “HIPAA”. HIPAA is an abbreviation for the Health Insurance Portability and Accountability Act of 1996. The HIPAA act requires that all health organizations protect healthcare information during storage, transmitting and processing. It is divided into two parts: insurance portability, and information standardization. There are strict privacy policies and regulations which help make HIPAA successful and there are serious consequences for organizations that do not enforce HIPAA rules.

HIPAA History

The foundation for HIPAA began in the Senate in 1995 as the Kennedy-Kassebaum bill. The bill was focused on reducing the fraud that occurred in the healthcare industry. While this issue was of critical importance to lawmakers, as the bill moved through Congress, policymakers found a myriad of issues which they felt should be addressed in a bill for comprehensive healthcare reform. Generally speaking, provisions of the bill were appealing to both Republicans and Democrats alike. The overall appeal of the bill propelled it through several revisions as policymakers attempted to craft a piece of legislation that would effectively meet the needs of the American public. By 1996, the bill reflected a diverse number of problems that had evolved in the modern healthcare system. The goal of the legislation was to comprehensively address all of these issues such that healthcare could be improved for patients. Interestingly, many of the provisions in the HIPAA legislation were extensions of existing laws regarding healthcare insurance.

HIPAA History Timeline:

May 7, 1998- National Provider Identifier NRPM published Transactions and Code Sets NRPM published.

June 16, 1998- National Employer Identifier NRPM published.

August 12, 1998- Security NRPM published.

November 3, 1999- Privacy NRPN (Notice of Proposed Rule Making) published.

August 21, 1999- Deadline for Congress to create legislation outlining the privacy guidelines of individually identifiable health information standards. Because Congress failed to meet the deadline, HIPAA makes the Secretary of Health and Human Services to announce these standards by regulation.

October 29, 1999- Clinton administration announces proposed rules: Privacy Guidelines for Individually Identifiable Health Information.

November 3, 1999- Standards of Privacy for Individually Identifiable Health Information is released by Federal Register.

January 3, 2000- The end of the Sixty day response period on Standards of Privacy for Individually Identifiable Health Information.

February 17, 2000- Extended deadline for comment period on Standards of privacy for Individually Identifiable Health Information.

February 21, 2000- Deadline for DHHS Secretary to publish standards of privact for Individually Identifiable Health Information.

August 17, 2000- Final Rule of Transaction and Code Sets is published.

December 28, 2000- Privacy Final Rule Published.

May 31, 2002- CMS announces the addition of the EIN as the standard individual identifier for employers in the processing and filing of transactions including health care claims.

August 14, 2002- Final modifications to the Privacy Rule published.

October 16, 2002- Transaction and Code Sets- anticipated compliance date for covered entities that did file a compliance plans delaying implementation.

February 20, 2003- Modifications to Transactions and Code Sets and Regulation and Implementation Guide Addenda Published.

February 20, 2003- Security Standards published.

April 14, 2003- The deadline for the Privacy agreement.

April16, 2003- Interim Final Rule: Civil Money Penalties Procedures published.

August 15, 2003- Interim Final Rule: Electronic Submission of Medicare Claims published.

October 16, 2003- Transaction and Code Sets- anticipated compliance date for small health plans and covered entities filing compliance plans to delay implementation.

July 30, 2004- Standard Unique Employer Identifier compliance deadline.

April 21, 2005- Security Compliance Deadline.

May 23, 2007- Identifier Compliance Deadline for National Providers.

May 23, 2008- Identifier Compliance Deadline for small health plans and the end of NPI contingency period.

Title I: Health Care Access, Portability, and Renewability

Title 1 of the Health Insurance Portability and Accountability Act controls group and a small amount of individual health insurance policies. Title 1 modified several acts such as the Internal Revenue Code, Employee Retirement Income Security Act and the Public Health Service Act. The affect the title has on these acts is due to the restrictions placed on groups that usually limit benefits for people with pre-existing conditions. Title I allows insured individuals under group plans the right to enter into new plans after the expiration of their group health plan without pre-existing condition penalties.  The length of time a pre-existing condition would normally be excluded is reduced by the length of time the individual had ongoing insurance prior to the new contract. If a significant length of time -63 days- exists between contracts during which the person was completely uninsured, then the previous insurance would not count and the time period would not be allowed to be reduced.

Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform

For Title II, legislation focused on reducing the overall level of fraud which occurs in the healthcare system. Specifically, the legislation provides a uniform standard for billing practices which are expected to be used by all healthcare organizations. To ensure that these provisions are followed the legislation contains an enforcement rule which allows the federal government to fine healthcare organizations that are not in compliance with the law. A reduction in fraud in the healthcare system was seen as an important tool for reducing healthcare costs to consumers. Title II is the more complicated part of the act that has to do with information privacy, security, and standardization. This section puts the force of federal law behind standards that were previously left to private, local concerns. It is designed to increase efficiency, reduce healthcare costs and protect privacy.

Privacy Rule

The privacy rules are complicated and require a lot of reading and wading through to know which information can and cannot legally be released. The standards can be set by the local entities as to how to safeguard privacy, but the restrictions as to who should and should not get patient health information are enforced at the federal level. Information covered includes all protected medical data concerning the patient. The patient must be notified if his/her protected health information has been disclosed. Penalties for violations include fines in the tens of thousands of dollars and prison, depending on the egregiousness and intent of the disclosure.  Standards are upheld by Department of Health and Human Services, and apparently many complaints are backlogged/ignored due to this department being swamped.

Transactions and Code Set Rules

In 2005, the Code Sets Rules were added to HIPAA. The Code Sets Rules created rules for health care providers to file information electronically in all instances. The rules helped to standardize the process of filing electronically for health care providers, as now standards had previously existed for electronic filing.

Security Rule

In February 2003, the Security Rule was added to HIPAA. Essentially, safeguards were put into place to handle security measures for sharing health care information among patients, family members of patients, health insurance companies, the employer offering the health insurance, and the health care provider. The Security Rule dealt with various methods of sharing health care information and is divided into administrative, technical, and physical sections.  The rules concern how information is stored, transmitted, and accessed.

Unique Identifiers Rule

All providers, clearing houses, payers, and large health plans that use electronic means to transact business must comply with the new federal standards. Fax machines that are not through the internet or “virtual” in nature are not considered electronic media. Standard formats and code sets take the place of any local standards used by the covered entity. A covered entity is a health related entity that conducts business electronically. At this point, only Medicare-related transactions are required to be conducted electronically. All entities involved must have a unique identifier number for ease of tracking.

Enforcement Rule

The HIPAA enforcement rule strengthens the already existing HIPAA rules and created categories of violations. The violations have elevating penalties that are based upon the severity of the violation.

HITECH Act

The HITECH act became effective in February of 2009. The HITECH act was created to promote meaningful use of health care information when the use of technology is involved. It addresses both the privacy and security concerns that are often times associated with the transmission of personal information through electronic sources as well as penalties for not abiding by the rules. Failing to follow the information established in this act could result in a maximum penalty of 1.5 million dollars for all violations.

HIPPA Effects on Research and Clinical Care

Clinical research and follow-up studies can be adversely affected or prevented if doctors and health professionals are not sure if they are within the guidelines. And penalties are stiff, whether or not they are actually carried out. Patients who must sign consent forms may experience their eyes glazing at the amount of data they must digest if they read everything before they sign. One study showed that HIPAA decreased patient recruitment, tripled the time spent on recruiting and tripled the cost of recruiting patients for various research. Studies like this throw into consideration whether HIPAA is actually making healthcare more efficient, or if the privacy rules are making the industry more administratively complex, and therefore possibly inefficient.

Additional Resources:

• Health Information Privacy- HIPAA Privacy Rule: Information about the HIPAA Privacy policies.
• FAQS About Portability of Health Coverage and HIPAA: A list of frequently asked questions about the HIPAA policy.
• The HIPAA Law and Related Information: Everything about and related to HIPAA.
• HIPAA Privacy Rule and Public Health: Rules of privacy in relation to public health.
• Penalties Under HIPAA: A discussion of penalties for organizations or individuals that do not abide by the HIPAA policies.
• Health Insurance Portability and Accountability (HIPAA) Policy Updates and Reminders: Recent updates on the original HIPAA policy.
• HIPAA FAQs: Frequently asked questions about the policy.
• The Impact of HIPAA’s Privacy Rule: The effect of HIPAA’s rules on society.
• (PDF) The Health Insurance Portability and Accountability Act: In depth information on HIPAA policies.
• HIPAA: The Good, the Bad and the Ugly: Some drawbacks to the policy are discussed.
• HIPAA Updates: A look at some of the changes that have been made to the act.
• Medical Records, Patient Privacy, HIPAA and You: How your medical records and privacy are effected by HIPAA.
• HIPAA Survival Guide: A guide to the HITECH Act.