OVERVIEW
HIPAA is the acronym for The Health Insurance Portability and Accountability
Act of 1996 (Public Law 104-191), formerly the Kennedy-Kassenbaum
Bill. Signed into law by President Clinton, this legislation was
designed to incrementally reform healthcare in the United States.
HIPAA is best known as the law that provides individuals and their
families continued health insurance coverage after leaving, or losing,
a job. However, HIPAA has evolved into a wide-reaching mandate geared
toward assuring the privacy and security of individually identifiable
healthcare information and standardizing electronic healthcare transactions.
The primary objective of HIPAA is the overall reduction of healthcare
expenditures.
The HIPAA regulations apply
to all healthcare organizations that maintain or transmit health
information electronically. This includes all healthcare providers,
from integrated delivery systems to private physician practices,
healthcare clearinghouses and health plans, collectively referred
to as covered entities. Compliance with the HIPAA regulations is
not a one-time event but an on-going process that requires continued
monitoring and updating. Non-compliance can lead to substantial
criminal and civil penalties, which range from $100 per violation
up to a maximum of $25,000 for a single violation. Fines can range
up to $250,000 and 10 years in prison for wrongful disclosure with
intent to sell information. Additionally, credentialing authorities,
such as the Joint Commission on the Accreditation of Healthcare
Organizations (JCAHO) and the National Commission on Quality Assurance
(NCQA), are evaluating means of integrating the HIPAA mandates into
their evaluation processes.
It is critical to recognize
that HIPAA is not an information technology issue, but a management
issue for all covered entities. There are legal, regulatory, process,
security and technology aspects to each rule. Therefore, it would
be unwise to believe the installation of information systems, singularly,
would achieve HIPAA compliance. Covered entities must analyze their
processes and policies relative to the regulations via a detailed
gap analysis. Only after identifying operational strengths and weaknesses
can an optimal compliance plan specific to the entity be constructed
and implemented.
The Administrative Simplification portion of the
HIPAA law presents covered entities with uncertainties and will
require activities that are anticipated to equal, or surpass, those
of Y2K. Administrative Simplification falls into the following four
broad sections:
Three of these categories, EDI Transactions and
Code Sets, Unique Identifiers and Privacy, have been approved by
the Department of Health and Human Services (DHHS) Secretary and
have established compliance dates.
|