Health Insurance Portability - Research Paper Example

?HIPAA stands for the Health Insurance Portability and Accountability Act which was passed by the U.S. Congress in the year 1996. The act however became effective only in July, 1997. The main goal of the Act was to ensure more efficient healthcare delivery throughout the United States and also to increase the number of Americans with healthcare coverage (Brief History of HIPAA, 2009; History of HIPAA, n.d; Privacy and Security, n.d). Prior to implementation of HIPAA, healthcare rules and regulations varied from one state to another in the US and hence lacked uniformity with the requirements of the federal government. Additionally they also lacked effective healthcare security and privacy measures and there was no standard authority to check the fraud and abuse of the system. In such a situation Congress realized the requirement of security and privacy standards for the healthcare industry in order to avoid any misuse or abuse of electronic technology (History of HIPAA, n.d). Hence HIPAA was introduced to promote health insurance coverage for both individuals and groups, ensure better security and privacy, promote the use of medical savings account, make long-term services more accessible, and to frame standards for better administration and safer use of electronic technology in the healthcare industry such as the implementation of the national provider identifier (Overview of HIPAA, 2008). The HIPAA was signed by President Clinton on July 21, 1996 in lieu of several security, privacy and abuse in the healthcare industry. HIPAA guaranteed health insurance to all Americans and ensured simplification of administrative process in healthcare in order to increase the effective delivery of healthcare to all people. Additionally the security and privacy of health information was also protected under the act (Security and Privacy, 2001). The use of electronic technology in healthcare had vastly expanded during the 1990s. However, the potential dangers associated with advances in electronic technology were also recognized. Such advances could endanger the privacy of health information of the people and hence nationwide security standards were devised to ensure safe use of electronic health information. In addition privacy standards were also introduced to protect the health information (Brief History of HIPAA, 2009). These privacy and security rules apply to three groups of covered entities (CE): health care provider, health plan and healthcare clearinghouse. The healthcare provider group includes health care service providers and suppliers who use the electronic form for transactions and other health care information such as doctors, clinics, psychologists, dentists, chiropractors, nursing homes and pharmacies. The health plan group includes individuals or groups that provide and pay for health care plans such as health insurance companies, HMOs, company health plans, Medicare, Medicaid, military and other health programs offered by the government. The healthcare clearinghouses include both public and private entities that receive non-standard health information and convert them into a standard content or vice versa (Privacy and Security, n.d; Security and Privacy, 2001). The HIPAA standards will also indirectly apply to business associates or partners of a covered entity such as software providers and other third party vendors (Privacy and Security, n.d). The standards devised by the HIPAA for the transactions carried out in the electronic form need to the adhered to by the CEs (Security and Privacy, 2001). The HIPAA standards include transactions and code sets, privacy and security and national provider identifier. The entities that comply with the HIPAA standards are required to use the same health care transactions, code sets and identifiers. The HIPAA standards for electronic data interexchange (EDI) is applicable to claims and claim status, encounter information, payments and remittance, inquiries, referral certification and authorization, enrollment or disenrollment in a health care plan, premium payments, claim benefits and attachments (Privacy and Security, n.d). In addition to these standards code sets are used in claim forms for identification of specific diagnosis and clinical procedures, encoding table terms and medical concepts (Privacy and Security, n.d; Frequently Asked Questions, 2000). In the healthcare industry codes can be used to denote diseases, impairments and other health related problems and its manifestations, injury and its causes, diagnostic tests undertaken, treatment measures adopted, and for procurement of drugs, medical supplies and equipments. Under the simplified administrative process of the HIPAA code sets are required for diagnosis, procedures and drugs. The ICD-9CM (International Classification of Diseases, 9th Edition, Clinical Modification) codes are used to denote diseases and other injuries and impairments, their manifestations and causes, preventions, diagnosis, treatment and management. The NDC (National Drug Codes) are used for drugs and biologics. CDT codes are used for dental services and nomenclature. CPT-4 (Current Procedural Terminology) is used for physician procedures and other health related services such as radiological services, clinical laboratory tests, hearing and vision services and transportation services such as ambulance. HCPCS or Ancillary Services/Procedures for medical supply claims that includes medical supplies, orthotic and prosthetic devices and other medical equipments (Frequently Asked Questions, 2000). In order to promote safe and standardized transactions of health care information the HIPAA has mandated the introduction of security and privacy standards. The CEs are required to adhere with the security and privacy standards that are proposed for maintenance and transmission of health information via the electronic form. The increasing use of electronic systems for patient health information management has necessitated the need for adopting privacy standards in order to protect the data. These standards, which apply to oral, written and electronic patient health information data which is referred to as Protected Health Information (PHI), give specific rights to patients apart from those which specify how these rights should be protected (Security and Privacy, 2001). The PHI includes all the health information of individuals who are under a health plan by the service provider or clearing house. The data could be transmitted and maintained in any form and the information should be useful to readily identify an individual. This information can include the past, present or future health condition of the individual, the specific health care provided and the payments given or received for the provision of healthcare (Security and Privacy, 2001; Summary of the HIPAA, 2003). Some examples of PHI include the completed claim forms and reports, explanation of benefits (EOB), and the notes taken while explaining the healthcare plan to the individuals (Security and Privacy, 2001). The privacy rule mainly defines the circumstances under which the PHI of an individual can be disclosed by the CEs. The information is required to be disclosed when the privacy rule permits it, when authorized by the concerned individual or when the HSS is undertaking an investigation on the information. The CE can disclose the private health information without the individual’s consent as and when required by the person who is the subject of information, for treatment, payments and other operations, when there is a situation where the individual has to make a decision but is incapacitated to do so, incidents which require access to the information such as disclosure of information to government authorities in case of abuse victims, health oversight activities, law and administrative proceedings, law enforcement situations, decedents for identification of the deceased, during organ donation, medical research purposes, during threat to health and life, government functions, and for claiming workers compensations; and other public interest and benefit activities. Authorization from the individual must be obtained by the covered entity for use of PHI in situations as mentioned in the privacy rule. Authorization should be written in specific terms and in plain language which allows the PHI to be disclosed for purposes of life insurance coverage, pre-employment purposes, or for research studies. The amount of PHI disclosed by the CE should also be limited to the minimum requirement unless the situation demands for disclosure of the entire medical record. Situations which warrant the disclosure of the entire medical history include to the individual who is the subject of information, to the health service provider, in the presence of an authorization to do so, for complain investigations, when required by law or for HIPAA transactions and administrative processes. In order to restrict the internal access to PHIs the covered entity must implement policies and procedures within their organization by which access would be granted only to specific members of the workforce to enable them to carry out their jobs. Policies should also be implemented for disclosure of minimum necessary information. Each CE is also required to provide a notice that describes the ways in which it uses and discloses the PHI and those who have a direct treatment relationship with individuals should deliver a privacy practice notice to their patients. The CEs who provide a health plan can deliver such notices upon request and an acknowledgement for receipt of the notices should also be obtained from the patients. Individuals also have the right to view their health information data maintained in designated record sets by the covered entity and also obtain a copy of the same. The amendment rule also gives an individual the right to have their PHI in the designated record set amended if they find the information to be incorrect or incomplete. Individuals can also have the disclosures of their PHI accounted. In addition they can also request a restriction for access to their PHI to individuals who are taking care of their health plans or to family members. Confidential communication facilities may also be requested by the individuals as a means of protecting their health information. Apart from these policies, CEs should also have procedures to register complaints by the individual in case of non-compliance with the privacy policies. If individuals exercise their privacy rights for assistance in any investigation the CEs cannot retaliate and at the same time individuals should not waiver any privacy rule in order to obtain any treatment, payments or benefits. The covered entities are required to maintain all privacy related documents until 6 years after their creation or the last effective date. Under the privacy rule the personal representative of any individual who is legally responsible for deceased or other incapacitated individual should be treated equally and the rule can be exempted only when there is evidence that the authorized person is misusing or neglecting the concerned individual. In case of minor children the privacy rule allows the parents to exercise the right on behalf of their children. Thus all the CEs are required to comply with the privacy rules failing which the Department of Health and Human Services can impose civil money penalties on the entities which can range from $100 to a maximum of $25,000 for multiple violations. However, if the violation is not done willfully and under some acceptable situations and if it is corrected within 30 days after committing the same, the HHS may not impose any violation on the CE. When the PHI of an individual is willfully disclosed by a person he can face fines up to $50,000 and imprisonment of one-year. If false pretences are involved, individuals can be fined up to $100,000 and a five-year imprisonment and in cases when the PHI is used wrongfully and with commercial interest the fines can go up to $250,000 and a ten-year prison term (Summary of the HIPAA, 2003). In support of the privacy rules that protect the PHI of individuals, several security measures should also be undertaken to ensure correct handling of health information especially via the electronic format. The security rule specifies several administrative, physical and technical measures for the CEs that would enable them to maintain the confidentiality, integrity and easy access of their PHI. The most important security measure is to maintain the confidentiality of the information by providing access only to authorized people. Such measures may include using locks to physically protect the information stored to using data encryption in case of electronically stored information. In case of electronic data transactions the integrity of the data is also of prime importance as confidence about the accuracy of the data is a requirement. To maintain the integrity system-independent mechanisms that help protect against unauthorized modification of health information should be implemented. In addition, the HIPAA also requires the CEs to carry out checksums, cyclic redundancy checks, double keying, authentication codes and digital signatures to maintain the integrity of the PHI. Strict measures should also be undertaken during data exchange. The data should also be made available to the consumers at any required time and even during equipment failure or power problems. Hence suitable back-ups need to be in place to protect during times of natural as well as man-made disasters. Awareness about the security measures throughout the organization is also a vital requirement in order for the security issues to be supported at all levels. The management should be involved with the effective implementation of the security standards and all the staff members who take care of the PHI need to be trained on these issues. The information system which handles these information should also be maintained properly and any malfunctioning needs to be immediately addressed. Some technical measures include proper authentication systems such as secret codes, biometrics, ID cards and blocking mechanisms is case systems are left idle for a period of time; authorizing use of only specific data by which other non-specific information is hidden from the employee; accountability should be maintained by proper log in measures; regular checks that help track whether information has been modified or corrupted; secure transfer of information between entities by using encryptions and secure storage of information in CD-ROMS by using encryption keys and its safe distribution within the organization (Security and Privacy, 2001). In 2004, HIPAA called for the creation of a unique health identifier for health care providers and the HHS adopted the National Provider Identifier (NPI) as the system (Overview of HIPAA, 2008). All the CEs are expected to use the NPI, which has replaced all other identifiers used by the entities, to identify covered healthcare providers in standard transactions. However, the provider’s DEA number, state license or tax identification number is not replaced by the NPI (Privacy and Security, n.d). Once obtained the NPI remains with the providers even in cases of job or location changes (Overview of HIPAA, 2008). In conclusion, covered entities in the healthcare industry are expected to comply with the privacy and security standards of the HIPAA, failing which fines and penalties would be levied on the entities. Complying with these standards would only help in better growth of the health care organizations which will provide safer and quicker health care facilities to its consumers. Reference 1. Brief History of HIPAA and the Privacy Rule. (2009). National Institute of Health. NCBI Bookshelf. Retrieved 20 May, 2011, from http://www.ncbi.nlm.nih.gov/books/NBK9576/#a20016f79ddd00050 2. History of HIPAA. (n.d). All-Things-Medical-Billing. Retrieved 20 May, 2011, from http://www.all-things-medical-billing.com/history-of-hipaa.html 3. Privacy and Security (HIPAA). (n.d). California Primary Care Association. Retrieved 20 May, 2011, from http://www.cpca.org/index.cfm/health-center-information/operations/privacy-security/ 4. Overview of HIPAA Privacy and Security. (2008). Privacy and Security Project. University of Minnesota. Retrieved 20 May, 2011, from http://www.ahc.umn.edu/privacy/hipaa/home.html 5. Security and Privacy: An Introduction to HIPAA. (2001). National Electrical Manufacturers Association. Retrieved 20 May, 2011, from http://www.eecs.harvard.edu/cs199r/readings/HIPAA_infosec.pdf 6. Frequently Asked Questions about Code Sets Standards Adopted Under HIPAA. (2000). hhs.gov. Retrieved 20 May, 2011, from http://aspe.hhs.gov/admnsimp/faqcode.htm 7. Summary of the HIPAA Privacy Rule. (2003). Office for Civil Rights. United States Department of Health and Human Services. Retrieved 20 May, 2011, from http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf Read More