HIPAA is an acronym that stands for the Health Insurance Portability and Accountability Act of 1996. (HIPAA) and its administration simplification provisions established rules and regulations around the standards and requirements for transmitting certain health information to improve the efficiency and effectiveness of the health care system while protecting patient privacy.
Applicability
HIPAA defines what entities and activities are covered under the rules. Generally, referred to as “covered entities”, it applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. A covered entity is permitted to use and disclose protected health information, without an individual’s authorization, for the following purposes or situations:
• To the Individual (unless required for access or accounting of disclosures);
• Treatment, Payment, and Health Care Operations;
• Opportunity to Agree or Object;
• Incident to an otherwise permitted use and disclosure;
• Public Interest and Benefit Activities
• Limited Data Set for the purposes of research, public health or health care operations
What is a Covered Entity?
| A Health Care Provider | A Health Plan | A Health Care Clearinghouse |
| This includes providers such as
Doctors Clinics Psychologists Dentists Chiropractors Nursing Homes Pharmacies |
This includes:
Health insurance companies HMOs ACOs Company Health Plans Government programs such as Medicare or Tricare
|
This includes entities that process non-standard health information they receive from another entity into a standard (i.e. Standard electronic format or data content), or vice versa. |
** Business Associates may have to comply with some or all of the HIPAA Administrative Simplification Rules
Two Components of HIPAA
| Privacy Component | Security Component |
| Protects individually identifiable health information* held or transmitted by a covered entity or business associate (otherwise known as Privacy of Personal Health Information (PHI))
Electronic Paper Oral |
Sets forth the requirements and safeguards to protect the privacy of personal health information which is being electronically transmitted |
| Sets limitations on uses and disclosures without patient authorization | Establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity |
| Establishes national standards to protect individual medical records and other PHI | Requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity and security of electronic protected health information.
|
| Gives patients rights over their health information which include:
The right to access their Protected Health Information. The right to amend their Protected Health Information. The right to receive a notice of Privacy Practices. The right to request restrictions and confidential communications. The right to an accounting of disclosures. |
*What is Individually Identifiable Health Information?
“Individually identifiable health information” is information, including demographic data, that relates to:
• the individual’s past, present or future physical or mental health or condition,
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers such as a name, address, birth date or Social Security Number.
Exceptions to the Privacy Rule
Plans providing certain incidental types of coverage are entirely exempt from HIPAA regulations. Incidental coverage would usually be for non-medical benefits such as:
• Accident Policies;
• Disability income;
• Liability insurance;
• Worker’s compensation;
• Self-administered, self -insured group health plans with fewer than 50 employees eligible to participate.**
**This exclusion does NOT apply to a self-insured health plan that uses a third-party administrator.
Penalties
| Criminal Penalties | | Civil Penalties |
| Knowingly obtains or discloses individually identifiable health information | Up to $50,000.00 and up to one year in prison | Penalty amount of $100 to $50,000 or more per violation |
| Wrongful conduct with false pretenses | Up to $100,000 and up to five years in prison | Calendar year cap of $1,500,000 |
| Wrongful conduct with intent to sell, transfer or use information | Up to $250,000 and up to ten years in prison |
This content is being provided as an informational tool. It is believed to be accurate at the time of posting and is subject to change. It is recommended that plans consult with their own experts or counsel to review all applicable federal and state legal requirements that may apply to their group health plan. By providing this information, Meritain Health is not exercising discretionary authority or assuming a plan fiduciary role, nor is Meritain Health providing legal advice.