About HIPAA

The latest federal action to provide oversight of patient healthcare information is part of the Kennedy-Kassebaum Act, also known as the Health Insurance Portability and Accountability Act of 1996, or HIPAA for short. During the intervening years, the Department of Health and Human Services developed regulations to implement the law. The changes for the healthcare industry will be profound.

More specifically, HIPAA calls for:

1. Standardization of electronic patient health, administrative and financial data

2. Unique health identifiers for individuals, employers, health plans and health care providers

3. Security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present or future.

The portion of the regulations where Syntro can be of most assistance is the HIPAA Privacy Regulation, which focuses on privacy and confidentiality standards. Compliance will be required on April 14, 2003 for most covered entities. Effective compliance will require organization-wide implementation. Steps will include:

Building initial organizational awareness of HIPAA

Comprehensive assessing of the organization's information security systems, policies and procedures

Developing an action plan with deadlines and timetables

Developing a technical and management infrastructure to implement the plan

Implementing a comprehensive action plan, including:

Developing new policies, processes, and procedures

Building "chain of trust" agreements with service organizations

Redesigning a compliant technical information infrastructure

Purchasing new, or adapting, information systems

Developing new internal communication

Training and enforcement

In general, privacy is about who has the right to access personally identifiable health information. The rule covers all individually identifiable health information in the hands of covered entities, regardless of whether the information is or has been in electronic form.

The Privacy standards:

limit the non-consensual use and release of private health information,

give patients new rights to access their medical records and to know who else has accessed them,

restrict most disclosure of health information to the minimum needed for the intended purpose,

establish new criminal and civil sanctions for improper use or disclosure;

establish new requirements for access to records by researchers and others.

The new regulation reflects the five basic principles outlined at that time:

Consumer Control: The regulation provides consumers with critical new rights to control the release of their medical information.

Boundaries: With few exceptions, an individual's health care information should be used for health purposes only, including treatment and payment.

Accountability: Under HIPAA, for the first time, there will be specific federal penalties if a patient's right to privacy is violated.

Public Responsibility: The new standards reflect the need to balance privacy protections with the public responsibility to support such national priorities as protecting public health, conducting medical research, improving the quality of care, and fighting health care fraud and abuse.

Security: It is the responsibility of organizations that are entrusted with health information to protect it against deliberate or inadvertent misuse or disclosure.

WHO IS AFFECTED? All healthcare organizations. This includes all health care providers, even solo-physician offices, health plans, employers, public health authorities, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations, and universities.

ARE THERE PENALTIES? HIPAA calls for severe civil and criminal penalties for noncompliance, including:

Fines up to $25K for multiple violations of the same standard in a calendar year

Fines up to $250K and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information