What is HIPAA?
HIPAA is the acronym for the Health Insurance
Portability and Accountability Act of 1996. HIPAA is a
federal law that requires the establishment of
national standards for electronic health care
transactions and national identifiers for providers,
health plans, and employers. It also addresses the
security and privacy of health information.
What was Title I of HIPAA designed to
HIPAA Health Insurance Reform
Title I of HIPAA was designed to protect health
insurance coverage for workers (with pre-existing
conditions) and their families when they change or
lose their jobs.
What does Title II of HIPAA
HIPAA Administrative Simplification
Title II of HIPAA provides for standards when sending
electronic claims. This reduces the administrative burden
on hospitals and physicians by not having to keep up with
different requirements and standards for different
insurance companies. As we move more toward sharing
patient billing information electronically, we need to be
sure that procedures are in place to ensure the security of
systems and protect patient privacy.
What is HITECH?
HITECH definition: The Health Information Technology for
Economic and Clinical Health (HITECH) Act, enacted as
part of the American Recovery and Reinvestment act of
2009, was signed into law on February 17, 2009, to
promote the adoption and meaningful use of health
information technology. Subtitle D of the HITECH act
addresses the privacy and security concerns associated
with the electronic transmission of health information, in
part, through several provisions that strengthen the civil
HITECH – “Enhanced” Privacy and Security
1. From $100 per incident up to $25,000/yr
2. And “Complaint Driven”
HITECH – “Enhanced” Privacy and Security
1. For “Willful Neglect”, from $50,000 per incident up to
$1.5 million/yr and criminal penalties
2. And enforcement through state Attorneys General
3. And HHS hired “Big Five” CPA firms for compliance
Big Challenges from HITECH
•HIPAA extended to business associates.
•Accounting for disclosures required.
•Notifications of data breaches of unprotected PHI
New in HITECH “Unprotected PHI”
Breach of “Unprotected PHI” requires notification of
Secretary of HHS and others HHS has determined that
protection for PHI is provided by:
•Secure destruction or
•Encryption (HITECH defined encryption for the first time)
•Provides “safe harbor”
•Must be certified by NIST
Data Breach Notification
Requires a “Risk Analysis” to determine if a disclosure is an
•Criteria include an estimate of damage in financial and
•Consider persistence of disclosure
•Safe harbor for ePHI provided by encryption and/or
All data breaches reported to Secretary, U.S. Dept. of Health
and Human Services.
Aspects of HIPAA
• Finalized August 2002
• Enforcement April 14, 2003
• Finalized February 20, 2003
• Enforcement April 21, 2005
Transactions and Code Set Standards
• Enforcement October 16, 2003
Enforcement February 10, 2010 for Business Associates, Penalties and Audit
(other regulations pending)
• Receive a privacy notice
The privacy notice describes how medical information about you may
be used and disclosed and how you can get access to this information.
• Access protected health information
Patients have the right to access their PHI contained in their medical
and billing records. They can review it and obtain a copy of it but not
the original record.
• Request an amendment to their health information
Patients have a right to request an amendment to their medical record.
As a provider we do not have to amend the record. We must have a
process in place to accept the amendment request, accept or deny the
amendment request and communicate with the patient about the
More patient rights…
• Receive an accounting for disclosure and access report
Patients have the right to receive a list of anyone who has obtained access to
their medical record and billing information with certain exclusions. As a
provider, we are required to maintain a written log that documents where
information is disclosed on each patient. The most common example of
disclosed information is data reported to the Health Department.
• Request we contact them by alternative means
Patients have the right to ask that we do not leave messages on their answering
machine or that we do not call them at their work number.
• File a complaint
Patients have the right to file a complaint with the UT Health Science Center
and with the Secretary of DHHS. We are required to have a complaint process
in place. The same process that is used for the Medicare compliance complaints
will be used for HIPAA complaints. To file a complaint, use the complaint form
What are the penalties under
There are severe civil and criminal penalties for
noncompliance that range from fines to prison
It should be noted that HIPAA is the only federal
regulation that carries with it personal liability to
individuals who violate the Act.
Under the HIPAA Security Rule,
Ensure the confidentiality, integrity, and availability of all
electronic protected health information that UTHSC creates,
receives, maintains, or transmits.
2) Protect against any reasonably anticipated threats or
hazards to the security or integrity of such information.
3) Protect against any reasonably anticipated uses or
disclosures of such information that are not permitted or
required under the Privacy rule.
4) Ensure compliance with HIPAA by its workforce.
How can I contact the
HIPAA Privacy Officer or Security
Will anything happen to a person who
files a complaint?
There will be no retaliation for filing a complaint.
It is against the law to cause problems for anyone who does file a
complaint. Reported items will be investigated, and appropriate
action will be taken. There will be no repercussions taken against an
employee who reports an issue.
You are encouraged to share information you believe is relevant for
federal regulation compliance. You are not required to identify
yourself. Confidentiality regarding the issues you raise will be
Is there anonymity provided for
Your concern might not be addressed unless you provide sufficient information
about the facts of the situation. Telephone calls are not recorded, and no effort is
made to determine the number or location from which you call.
Please provide as much information as possible. When possible, please provide
names of individuals who should be contacted during our investigation.
If you would like information of the progress of the investigation, you will need to
provide your name and telephone number.