The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996. As part of the Act, Congress called for regulations promoting administrative simplification of healthcare transactions as well as regulations ensuring the privacy and security of patient information. The Act required Congress to enact laws implementing these goals by 1999. When Congress failed to do so, DHHS stepped in and began promulgating regulations. The regulations apply to what are called "covered entities:" healthcare providers, health plans and healthcare clearinghouses who transmit any health information in electronic form in connection with a transaction covered under HIPAA. The regulations are made up of three distinct parts: transaction standards, privacy and security.
Transaction Standards: The transactions standards call for use of common electronic claims standards, common code sets and unique identifiers for all healthcare payers and providers. The rules became effective October 16, 2000 and providers originally had two years from that date to comply. DHHS moved the compliance date to October 2003 if a proper compliance plan is filed by October, 2002.
Privacy Regulations: The privacy rules govern
the release of individually identifiable health information, specifying how
health providers must provide notice of privacy policies and procedures to
patients, obtain consent and authorization for use of information and tell how
information is generally shared and how patients can access, inspect, copy and
amend their own medical record. The privacy rules became effective in April 2001
and carry a compliance deadline of April 14, 2003. Key provisions for providers
include:
| Consent and authorization requirements
| Opt out provisions
| Minimum necessity requirement
| Administrative responsibilities
| Business associate obligations | |
Key provisions for patients include:
| Notice of information practices
| Access to records
| Right to accounting of disclosures
| Right to request amendment to records
| Right to request restriction of uses and disclosures
| Right to request restrictions communicating health
information | |
Security Regulations: The security regulations dictate the kind of administrative procedures and physical safeguards covered entities must have in place to ensure the confidentiality and integrity of protected health information. These rules have not been finalized but are expected sometime this year.