Health Insurance Portability and Accountability Act ^87

Congress adopted the Health Insurance Portability and Accountability Act (HIPAA) in 1996 to provide stronger health insurance protection for people leaving jobs and people with preexisting medical conditions.

Transactions and Code Sets

The transactions and code sets rules implement provisions of HIPAA intended to standardize and simplify how health information is stored and submitted in electronic formats. The goal is to make it easier for physicians to submit health insurance claims and for health insurers to process and pay those claims by having everyone format information in a uniform way.

In the regulations, there are certain standard transactions for Electronic Data Interchange of health care data. These transactions are as follows: claims and encounter information; payment and remittance advice; claims status, eligibility, enrollment and disenrollment; referrals and authoriza­tions; and coordination of benefits and premium payment. Under HIPAA, if a physician conducts one of the adopted transactions electronically, they must use the adopted standard.

Also adopted under HIPAA are specific code sets for diagnoses and procedures to be used in all transactions. The HCPCS (Ancillary Services/ Procedures), CPT-4 (Physicians Procedures), CDT (Dental Terminology), ICD-9 (Diagnosis and Hospital Inpatient Procedures), ICD-10 (as of October 1, 2015) and NDC (National Drug Codes) codes with which health care providers and health plan are familiar, are the adopted code sets for procedures, diagnoses, and drugs.

Finally, the U.S. Department of Health and Human Services adopted standards for unique identifiers for employers, health care providers, and health plans, which must also be used in all transactions. Physicians should make sure claims and other transactions comply with the rules.

Security-

Electronic storage of patients’ personal health information raises some sig­nificant concerns about unauthorized release of that information. If patient health information is stored electronically, the HIPAA security regulations apply. The rules include the following:

• Technical requirements

• Physical safeguards

• Administrative safeguards

There is some flexibility in implementing the rules in a physician’s practice. Although implementation of some of the standards is required, other stan­dards are considered “addressable.” If a standard is addressable,

• determine whether it is reasonable and appropriate for the practice

• substitute another measure

• document why the standard is not appropriate for the practice

Privacy of Individually Identifiable Health Information

Safeguarding the privacy and confidentiality of a patient’s personal health information is an ethical obligation for obstetrician-gynecologists (see Appendix A, “Code of Professional Ethics of the American College of Obstetricians and Gynecologists”) and a legal requirement. The HIPAA privacy regulation applies if a physician or physician’s practice conducts any of the following activities electronically:

• Submitting claims

• Checking a patient’s eligibility or coverage

• Requesting preauthorization or a referral

• Receiving payments, notices of payments, or explanation of benefits

If a physician’s practice conducts certain transactions electronically, it is a covered entity. The HIPAA privacy regulations cover all forms of pro­tected health information—paper, electronic, and oral. Covered entities must do the following:

• Develop written privacy policies and procedures for the practice.

• Designate a privacy officer who will be responsible for implement­ing the privacy policy. If the practice is small, this will probably be an existing staff person.

• Train all practice staff on the privacy policy.

• Provide all patients with a written Notice of Privacy Rights and Practices, which explains a patient’s privacy rights and outlines how the practice will use her protected health information.

• Make a good faith effort to obtain the patient’s written acknowledg­ment of receiving the notice.

• Obtain contracts with business associates with whom protected health information is shared that provide assurance the business associate will protect the information.

• Limit disclosures of protected health information to the minimum amount necessary.

• Have a plan to assess and ameliorate potential risks and vulnerabili­ties to privacy and security and review the plan on a regular basis.

• Take reasonable precautions to prevent accidental disclosure of pro­tected health information.

However, HIPAA does not require a practice to do the following:

• Obtain the patient’s consent for disclosures of protected health information related to treatment, payment, or operations.

• Make significant physical modifications to the office.

• Limit the amount of clinically relevant information provided to oth­ers caring for the patients.

Under HIPAA, a patient has the right to inspect her protected health information and to request that any inaccuracies be corrected. A physician is not required to honor her correction request, but must provide a written justification for refusal. A patient must consent to disclose her protected health information for purposes other than treatment, payment, or opera­tions. A patient also has the right to obtain a copy of her protected health information. If the information is maintained electronically, the patient may request a copy of the information in an electronic format. The physi­cian has up to 30 days to respond to the patient’s request.

The Health Information Technology for Economic and Clinical Health Act, part of the American Recovery and Reinvestment Act of2009, expanded Privacy and Security provisions. Under the Health Information Technology for Economic and Clinical Health Act, privacy and security breach notifi­cation requirements were delineated, new rules for the accounting of dis­closures were implemented, and penalties for disclosures were increased. Penalties for violating the HIPAA privacy regulations are listed in Table I-1. Prison sentences of 1-10 years can be added to the fines depending on the circumstances of the breach. Physicians are required to notify individuals whose protected health information has been compromised by a breach, even if the breach was caused by a business associate. If the breach involves more than 500 patients, the Health and Human Services Office of Civil Rights must be notified and under certain circumstances, so must the local media.

Patients have a right to restrict disclosure of protected health informa­tion to their health plan when paying in full and out of pocket for the health care item or service. Practices must devise a method of identifying restricted information to ensure that the information is not inadvertently made available to a health plan.

Table I-1. Penalties for Violating HIPAA Privacy Regulations*

*Prison sentences of 1-10 years can be added to the fines depending on the circumstances of the breach.

Bibliography

American Congress of Obstetricians and Gynecologists. HIPAA regulations and requirements explained. Washington, DC: American Congress of Obstetricians and Gynecologists; 2013. Available at: http://www.acog.org/About_ACOG/ACOG_ Departments/HIPAA. Retrieved July 16, 2013.

Department of Health and Human Services. Health information privacy. Available at: http://www.hhs.gov/ocr/privacy. Retrieved July 10, 2013.

Health Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191, 100 Stat. 1936. Available at: http://www.gpo.gov/fdsys/pkg/PLAW-104publ191/ pdf/PLAW-104publ191.pdf. Retrieved September 20, 2013.

Modifications to the HIPAA privacy, security, enforcement, and breach notification rules under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; other modifications to the HIPAA rules. Fed Regist 2013;78:5565-702. [PubMed]