HIPAA Control and Compliance Reviews
What does HIPAA stand for? The Health Insurance Portability and Accountability Act (HIPAA), signed into law in August 1996, requires the Department of Health and Human Services (DHHS) to adopt national uniform standards for the electronic transmission of certain health information. The intent of HIPAA is "administrative simplification" and protection of patient privacy.
"In simple language: HIPAA is a lifesaver for the health care industry, because it requires the industry to develop a set of national standards that will help bring much needed data standard unity to health care transactions. It provides assurance that confidential patient information will be as safe or safer than paper based patient records. Common sense says that if HIPAA hadn't come along, we would have to invent it."

DHHS divides proposed security requirements into the following four groups:

  1. Administrative procedures - documented general practices for establishing and enforcing security policies.
  2. Physical safeguards - documented processes for protecting physical computer systems, buildings, and so on.
  3. Technical security services - processes that protect, control, and monitor access.
  4. Technical security mechanisms - mechanisms for protecting information and restricting access to data transmitted over a network.

Who is affected by HIPAA regulations?
HIPAA affects all health care organizations. In particular, organizations will need to focus on HIPAA compliance in the following areas:

  • Electronic data interchange (EDI) transactions for health plan enrollment, eligibility, claims payment, premium payment, coordination of benefits, and referral/authorization - HIPAA will mandate specific EDI transaction standards and code sets for data.
  • Storage and reporting of identifiers - Patient IDs, provider IDs, payer IDs, and employer IDs will be standardized under HIPAA for purposes of electronic transactions. As a result, information systems devoted to administrative, financial, and clinical applications must be able to capture, store, and report these identifiers.
  • Protecting confidentiality of individually identifiable patient information in an automated system - Organizations must be able to demonstrate sound practices that protect patient confidentiality and security.

Organizations and vendors in the health care industry will need to understand the elements of HIPAA and be aware of the required changes. Providers and health plans will need to review their current information systems for HIPAA compliance. Organizations should also closely review their current confidentiality and security practices. Third party reviews are required. Also, providers and health plans will need to institute policies for selection and acquisition of new information systems that require vendors to demonstrate compliance with known HIPAA requirements and a commitment to meet future requirements.

What are the guidelines for HIPAA compliance?
HIPAA was written with only 3 general rules to set general security standards without locking the healthcare industry into a particular technology:

  1. Comprehensive physical safeguards to protect patient data.
  2. Employ a scalable technology.
  3. Technology-neutral, flexible enough to support interconnectivity and future industry advances.

    Are there any penalties for not complying with the regulations? Yes. For example, here are some penalties for non-compliance with these rules:

    • The civil penalty for violating transaction standards is up to $100 per person per violation and up to $25,000 per person per violation of a single standard for a calendar year.
    • The penalty for knowing misuse of individually identifiable health information can reach $250,000 and/or imprisonment for up to 10 years.

    For more information, or to receive a Request For Proposal questionnaire, please contact us toll-free at (866) 585-8324 or via email info@e3tech.net.

 

 

 

 

 

 

 

E3 Technology, Inc. ©2002