The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was passed by the United States Congress and was signed in 1996 by President Bill Clinton. The privacy rule defines a “group health plan” as an employee welfare benefit plan, whether insured or self-insured, that provides “medical care” to employees and their dependents.
1. HIPAA Covered Entities
Covered entities include only health plans, health care providers that conduct certain types of transactions electronically and health care clearinghouses.
2. Responsibilities of Covered Entities
Covered entities must provide privacy notice, adopt security & privacy policies & procedures, appoint privacy & security officials, establish grievance procedures, amend plan document, provide training to employees, and safeguard the uses and disclosures of PHI.
3. Who are Business Associates?
A person or entity, who is hired by the covered entity to perform a function or activity on behalf of the covered entity; or to perform one of a list of specific services for the covered entity; and which involves access to protected health information.
4. Categories Under Business Associates
Common business associates include: Third-party administrators (claim processors), consultants and analysts, claim auditors, brokers/agents who place business, attorneys and specialty services (U/M, COBRA or HIPAA).
5. Protected Health Information
Health Information created or received by covered entity, health and demographic information relates to past, present, future physical or mental health or condition of individual or payment, privacy--regardless of format, security-only electronic.
6. What are Prohibited Uses or Disclosures of PHI?
If the use and/or disclosure of PHI is not required by law or permitted under the privacy rule, then a covered entity is prohibited from using or disclosing PHI unless the individual authorizes the use or disclosure.
7. Principles of HIPAA
The key principles of HIPAA are scalability & flexibility, no two entities will implement the requirements exactly the same way, nospecific technologies mandated, and implementation should fit the organization and document your decision-making.