Medical community challenge:
In a business environment where resources are limited, compliance requirements abound, and budgets are constantly struggling to meet cost containment targets, the complexity of the regulations your business is required to comply with can present a challenge. This challenge becomes even more difficult within the dynamic environment of hospitals, doctors’ offices, and all of the supporting elements of the medical profession. Of course, these efforts are for the critical actions for life saving procedures for the focal point of the medical community – the patient. However, the digital age that we have moved in to over the past 20 years, despite the convenience it offers, comes with risks. Patients have suffered the compromise of personal information, resulting in the patient population expressing considerable concerns regarding how their medical data is handled.
These concerns are not without due cause, given the sensitive business of life support that medical organizations have chosen to engage in, and the information involved with any medical procedure or activity. Those concerns are partly expressed in the Health Insurance Portability and Accountability Act (HIPAA), which compels medical business to treat the data they possess with certain protections. We will break down the predominant components of the HIPAA regulation as a basis for gaining a clear understanding of the drivers behind this law. In later postings on this topic, we will explore a strategy to align your organization to the information security requirements defined within HIPAA, HITECH, and the Omnibus rule.
The Health Insurance Portability and Accountability Act of 1996 establishes requirements for healthcare organizations with respect to ensuring security and privacy of protected healthcare information (PHI) and electronic protected healthcare information (ePHI). Broadly speaking, the overarching HIPAA principle for this type of data is that it is to remain private. Only people who have a definitive need for that data should be able to access it. Of course, it should go without saying, that the only way to provide any kind of privacy is through the effective deployment of security measures to restrict access and exposure of the data. The principles of privacy and security are irrefutably linked, as you cannot have one without the other, which gives the logic to the two more well-known rules of HIPAA that we will cover below.
There are a number of rules that are recognized within HIPAA, or what most people come to call HIPAA, which usually encompass other healthcare data regulations (e.g., HITECH and the Omnibus Final Rule). Some of the rules are more well-known than others. Due to their history as the being first established with HIPAA, the best known are probably the Privacy Rule and the Security Rule. However, that’s not where the rules stop. There have been regulation updates to HIPAA as the issues around the handling of medical data have become better understood. It can be a challenge to keep track of all of these rules:
- Security Rule – deals with establishing the security standard for medical data. This is the HIPAA rule dealing with administrative, technical, and physical safeguards organizations must take to protect PHI and ePHI
- Privacy Rule – uses what is known as the ‘minimum necessary standard’ as a principle for disclosure of information, as well as additional restrictions. This is the HIPAA rule dealing with how information must be handled and when it can be released
- Breach Notification Rule (HITECH): detected breaches involving 500+ patients must be reported no later than 60 days of discovery; fewer than 500 patients must be provided in an annual report (within 60 days of end of year that breach occurred)
- Enforcement Rule (HIPAA 2006): Provides the penalties and fines for providers and Business Associates who are liable for their actions/inaction
- HIPAA Administrative Simplification Rules:
- Electronic Transaction Standards – speaks to the standardization of the electronic exchange of information between two parties for the purpose of executing activities related to the provision of health care. These transactions include:
- Claims and encounter information
- Payment and remittance advice
- Claims status
- Eligibility
- Enrollment and disenrollment
- Referrals and authorizations
- Coordination of benefits
- Premium payment
- Transactions Code Sets Rule – speaks to the overall organization of health care and standardizing the coding methods to help aid the inter-functionality of different businesses and agencies that are involved with providing healthcare. The code sets detailed in HIPAA include:
- The 10th Edition of the International classification of Diseases (ICD-10)
- Current Procedure Terminology (CPT)
- Healthcare Common Procedure Coding System (HCPCS)
- Code on Dental Procedures and Nomenclature (CDT)
- National Drug Codes (NDC)
- Identifiers Rule (HIPAA Administrative Simplification Rules) – speaks to the overall organization of health care by having each health care provider be identified by a unique identifier. All HIPAA covered entities are required unique identifiers for plan members, employees, and providers. There is no current national identifier for patients. The identifiers are:
- Health Plan Identifier (HPID)
- National Provider Identifier (NPI)
- An Employer Identifier Number (EIN)
- It is a requirement of HIPAA for NPIs and EINs to be used on all HIPAA transactions.
- Electronic Transaction Standards – speaks to the standardization of the electronic exchange of information between two parties for the purpose of executing activities related to the provision of health care. These transactions include:
Now that you have a base-line understanding of what HIPAA is comprised of, we can move on to another primary component of HIPAA, which is understanding the criteria for PHI and ePHI, as well as understanding if you and your organization fall under the HIPAA regulation.
NEXT UP: What is PHI or ePHI and who has to abide by HIPAA?