The Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes federal standards to protect sensitive health information from disclosure without a patient's consent. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement HIPAA requirements, and the HIPAA Security Rule to protect specific information covered by the Privacy Rule. The Privacy Rule standards address the use and disclosure of individuals' protected health information (PHI) by entities subject to the rule, which are called covered entities.
Covered entities include health plans, health care providers, and health care clearinghouses. Health plans refer to health, dental, vision, and prescription drug insurers, as well as Medicare, Medicaid, and other government-sponsored health plans. Health care providers are covered by HIPAA if they electronically transmit health information in connection with certain transactions, such as benefit eligibility inquiries and referral authorization requests. Health care clearinghouses are entities that process non-standard health information they receive from another entity into a standard format or vice versa.
While HIPAA provides important protections for individuals' health information, it is important to note that it does not cover all entities that handle health data. For example, life insurance companies are not required to follow HIPAA privacy standards.
Characteristics | Values |
---|---|
What is HIPAA? | The Health Insurance Portability and Accountability Act of 1996 (HIPAA) |
What does HIPAA do? | HIPAA establishes federal standards protecting sensitive health information from disclosure without patient's consent. |
Who does HIPAA apply to? | Health care providers, health plans, health care clearinghouses, and business associates. |
What is a business associate? | A non-member of a covered entity's workforce using individually identifiable health information to perform functions for a covered entity. |
What are some examples of business associates? | Companies that help your doctors get paid for providing health care, companies that help administer health plans, outside lawyers, accountants, IT specialists, and companies that store or destroy medical records. |
What is not covered by HIPAA? | Life insurance companies, employers, most schools and school districts, most law enforcement agencies, and many municipal offices. |
What is protected by HIPAA? | Information your doctors, nurses, and other health care providers put in your medical record, conversations your doctor has about your care or treatment with nurses and others, information about you in your health insurer’s computer system, and billing information about you at your clinic. |
What You'll Learn
Health plans
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes federal standards to protect sensitive health information from disclosure without a patient's consent. The Act applies to "covered entities" such as healthcare providers, health plans, and health care clearinghouses.
- Health, dental, vision, and prescription drug insurers
- Health maintenance organizations (HMOs)
- Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers
- Long-term care insurers (excluding nursing home fixed-indemnity policies)
- Employer-sponsored group health plans
- Government- and church-sponsored health plans
- Multi-employer health plans
Exceptions to this include group health plans with fewer than 50 participants that are administered solely by the employer that established and maintains the plan.
Requirements for Health Plans
- Protect the privacy of individuals' health information while allowing the flow of information needed to provide and promote high-quality healthcare
- Only use and disclose protected health information as permitted or required by the Privacy Rule or with the individual's authorization
- Implement policies and procedures to restrict access to and use of protected health information based on specific roles
- Establish procedures for individuals to file complaints about non-compliance with privacy policies and procedures
- Train their workforce on privacy policies and procedures and apply appropriate sanctions for violations
- Maintain reasonable and appropriate administrative, technical, and physical safeguards to protect health information from intentional or unintentional use or disclosure
Laws and Teenagers: Abuse and Legal Boundaries
You may want to see also
Health care providers
The Health Insurance Portability and Accountability Act (HIPAA) Rules apply to covered entities and their business associates. Covered entities are defined as:
- Health plans
- Health care clearinghouses
- Health care providers
Only health care providers who electronically transmit any health information in connection with transactions for which the Department of Health and Human Services (HHS) has adopted standards are considered covered entities. Generally, these transactions concern billing and payment for services or insurance coverage. For example, hospitals, academic medical centres, physicians, and other health care providers who electronically transmit claims transaction information directly or through an intermediary to a health plan are covered entities.
The HIPAA Privacy and Security Rules protect the privacy and security of individually identifiable health information. The HIPAA Privacy Rule covers protected health information (PHI) in any medium, while the HIPAA Security Rule covers electronic protected health information (ePHI).
Under the HIPAA Privacy Rule, health care providers have responsibilities to patients, including:
- Providing a Notice of Privacy Practices (NPP)
- Responding to patients’ requests for access to their PHI
- Responding to patients’ requests for amendments to their PHI
- Responding to patients’ requests for an accounting of disclosures
- Responding to patients’ requests for restrictions on uses and disclosures of their health information
- Responding to patients’ requests for confidential communications
In addition to HIPAA, health care providers must comply with all other applicable federal, state, and local laws.
Police and HIPAA: Understanding Legal Boundaries and Applicability
You may want to see also
Health care clearinghouses
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to health care clearinghouses, which are defined as:
> A public or private entity (including a billing service, repricing company, community health management information system or community health information system, and value-added networks and switches), that does either of the following functions:
>
> 1. Processes or facilitates the processing of health information received from another entity in a non-standard format or containing non-standard data content into standard data HIPAA elements, or
> 2. Receives a standard transaction from another entity and processes or facilitates the processing of health information into a non-standard format or non-standard data content for the receiving entity.
In other words, a healthcare clearinghouse acts as a middleman between a healthcare provider and a health plan. They check claims from healthcare providers for errors before forwarding them to a health plan for payment. This process is also known as "scrubbing".
Healthcare clearinghouses are considered "covered entities" under HIPAA and are therefore required to comply with the HIPAA Privacy Rule. This means they must develop safeguards to protect the privacy of personal health information (PHI). They must also have contracts in place with their business associates, ensuring that they use and disclose health information properly and safeguard it appropriately.
Examples of healthcare clearinghouses include billing services, repricing companies, community health management information systems, and value-added networks and switches.
Tort Law and Worker's Rights: A Historical Perspective
You may want to see also
Business associates
The Health Insurance Portability and Accountability Act (HIPAA) applies to covered entities and their business associates. A business associate is a person or entity, other than a member of the covered entity's workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity. These functions or activities involve the use or disclosure of protected health information.
- Companies that help health providers with billing and companies that process health care claims
- Companies that help administer health plans
- External lawyers, accountants, and IT specialists
- Companies that store or destroy medical records
Covered entities must have contracts in place with their business associates. These contracts must ensure that business associates use and disclose health information properly and safeguard it appropriately. The contract must also establish the permitted and required uses and disclosures of protected health information by the business associate. Business associates must also have similar contracts with subcontractors.
Jim Crow Laws: Racist History of Oppression
You may want to see also
Life insurance companies
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes federal standards to protect sensitive health information from disclosure without a patient's consent. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement HIPAA requirements. The Privacy Rule standards address the use and disclosure of individuals' protected health information (PHI) by entities subject to the rule, which are called "covered entities".
The Privacy Rule also contains standards for individuals' rights to understand and control how their health information is used. It protects individual health information while allowing necessary access to health information, promoting high-quality healthcare, and protecting the public's health. The Privacy Rule permits important uses of information while protecting the privacy of people who seek care and healing.
The following types of individuals and organizations are subject to the Privacy Rule and are considered covered entities:
- Healthcare providers: Every healthcare provider, regardless of the size of the practice, who electronically transmits health information in connection with certain transactions. These transactions include benefit eligibility inquiries, referral authorization requests, and other transactions for which HHS has established standards under the HIPAA Transactions Rule.
- Health plans: Health, dental, vision, and prescription drug insurers; health maintenance organizations (HMOs); Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers; long-term care insurers (excluding nursing home fixed-indemnity policies); employer-sponsored group health plans; government- and church-sponsored health plans; and multi-employer health plans. An exception is made for group health plans with fewer than 50 participants that are administered solely by the employer that established and maintains the plan.
- Healthcare clearinghouses: Entities processing non-standard information received from another entity into a standard format or vice versa. Healthcare clearinghouses receive identifiable health information when providing processing services to a health plan or healthcare provider as a business associate.
- Business associates: A non-member of a covered entity's workforce who uses individually identifiable health information to perform functions for a covered entity. These functions, activities, or services include claims processing, data analysis, utilization review, and billing.
While the HIPAA Privacy Rule safeguards PHI, the Security Rule protects a subset of information covered by the Privacy Rule. This subset is all individually identifiable health information a covered entity creates, receives, maintains, or transmits in electronic form, called electronic protected health information (e-PHI). The Security Rule does not apply to PHI transmitted orally or in writing.
To comply with the HIPAA Security Rule, all covered entities must ensure the confidentiality, integrity, and availability of all e-PHI, detect and safeguard against anticipated threats to the security of the information, protect against anticipated impermissible uses or disclosures that are not allowed by the rule, and certify compliance by their workforce.
Covered entities should rely on professional ethics and best judgment when considering requests for permissive uses and disclosures. The HHS Office for Civil Rights enforces HIPAA rules, and all complaints should be reported to that office. HIPAA violations may result in civil monetary or criminal penalties.
HIPAA and Workers' Comp: Understanding Privacy Law Compliance
You may want to see also
Frequently asked questions
No, HIPAA laws do not apply to life insurance companies. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes federal standards to protect sensitive health information from disclosure without the patient's consent. However, it does not give the Department of Health and Human Services (HHS) the authority to regulate life insurance companies.
The Privacy Rule, as part of HIPAA laws, applies to health plans, health care clearinghouses, and health care providers who transmit health information electronically in connection with transactions for which the HHS has adopted standards under HIPAA. These entities are collectively referred to as "covered entities."
The Privacy Rule protects all "individually identifiable health information" held or transmitted by a covered entity or its business associate. This includes information such as an individual's past, present, or future physical or mental health, the provision of health care to the individual, and the payment for the provision of health care.