Health Insurance Portability and Accountability Act

Transcription

1 Health Insurance Prtability and Accuntability Act Frm Wikipedia, the free encyclpedia. (Redirected frm HIPAA) Jump t: navigatin, search The Health Insurance Prtability and Accuntability Act (HIPAA) was enacted by the U.S. Cngress in Accrding t the Centers fr Medicare and Medicaid Services' (CMS) website, Title I f HIPAA prtects health insurance cverage fr wrkers and their families when they change r lse their jbs. Title II f HIPAA, the Administrative Simplificatin prvisins, requires the establishment f natinal standards fr electrnic health care transactins and natinal identifiers fr prviders, health insurance plans, and emplyers. The AS prvisins als address the security and privacy f health data. The standards are meant t imprve the efficiency and effectiveness f the natin's health care system by encuraging the widespread use f electrnic data interchange in health care. As a matter f linguistic-plitical criticism, many have nted that the Act did little t actually make health insurance mre "prtable" in the sense f preserving access t health care when an individual changes emplyers. Als, despite its many new rules n the sharing f medical infrmatin, the Act did nt significantly increase health insurers' "accuntability" fr wrngding. Cntents [hide] 1 Administrative simplificatin prvisins 1.1 Privacy prvisin 1.2 HIPAA Electrnic Data Interchange (HIPAA/EDI) 1.3 Security prvisin 2 Legislative infrmatin 3 See als 4 External links

2 Administrative simplificatin prvisins The Administrative Simplificatin prvisins are nly applicable t "cvered entities", which include health care prviders (e.g. dctrs ffices and hspitals) which engage in electrnic transactins subject t the HIPAA/EDI rules belw, health plans (which includes health insurance cmpanies and emplyer-spnsred "grup health plans"), and health care clearinghuses. Privacy prvisin The HIPAA Privacy prvisin tk effect n April 14, 2003, with a ne-year extensin fr certain "small plans". Key privacy prvisins include: Individuals must be able t access their recrd and request crrectin f errrs Individuals must be infrmed f hw their persnal infrmatin will be used. Individuals "prtected health infrmatin" (r "PHI") cannt be used fr marketing purpses withut the explicit cnsent f the invlved individuals. Individuals can ask cvered entities which maintain PHI abut them t take reasnable steps t ensure that their cmmunicatins with the individual are cnfidential. Fr instance, an individual can ask t be called at his r her wrk number, instead f hme r cell phne number. Individuals can file frmal privacy-related cmplaints t the Department f Health and Human Services (HHS) Office fr Civil Rights. Cvered entities must dcument their privacy prcedures, but they have discretin n what t include in their privacy prcedure. Cvered entities must designate a privacy fficer and train their emplyees. Cvered entities may use an individual's infrmatin withut the individual's cnsent fr the purpses f prviding treatment, btaining payment fr services and perfrming the nn-treatment peratinal tasks f the prvider's business. HIPAA Electrnic Data Interchange (HIPAA/EDI) The HIPAA/EDI prvisin was scheduled t take effect Octber 16, 2003 with a neyear extensin fr certain "small plans"; hwever, due t widespread cnfusin and difficulty in implementing the rule, CMS granted a ne-year extensin t all parties. As f Octber 16, 2004, full implementatin was nt achieved and CMS began an penended "cntingency perid." Penalties fr nn-cmpliance were nt levied; hwever, all parties are expected t make a "gd-faith effrt" t cme int cmpliance.

3 CMS has annunced that the Medicare cntingency perid will end July 1, After July 1, mst medical prviders that file electrnically will have t file their electrnic claims using the HIPAA standards in rder t be paid. There are exceptins fr dctrs that meet certain criteria. Key EDI transactins are: 837: Medical claims with subtypes fr Prfessinal, Institutinal, and Dental varieties. 820: Payrll Deducted and Other Grup Premium Payment fr Insurance Prducts 834: Benefits enrllment and maintenance 835: Electrnic remittances 270/271: Eligibility inquiry and respnse 276/277: Claim status inquiry and respnse 278: Health Services Review request and reply These standards are X12 cmpliant, and are gruped under the label X12N. Implementatin Guides are available fr free frm the Washingtn Publishing Cmpany. Security prvisin The HIPAA Security prvisins tk effect April 20, 2005 with a ne-year extensin fr certain "small plans". The Security prvisin cmplements the Privacy prvisin. HIPAA defines three segments f security safeguards fr cmpliance: administrative, physical, and technical. Key prvisins are: Administrative Safeguards - plicies and prcedures designed t clearly shw hw the entity will cmply with the act Cvered entities (entities that must cmply with HIPAA requirements) must adpt a written set f privacy prcedures and designate a privacy fficer t be respnsible fr develping and implementing all required plicies and prcedures. The plicies and prcedures must reference management versight and rganizatinal buy-in t cmpliance with the dcumented security cntrls. Prcedures shuld clearly identify emplyees r classes f emplyees wh will have access t prtected health infrmatin (PHI). Access t PHI in all frms must be restricted t nly thse emplyees wh have a need fr it t cmplete their jb functin. The prcedures must address access authrizatin, establishment, mdificatin, and terminatin. Entities must shw that an apprpriate nging training prgram regarding the handling PHI is prvided t emplyees perfrming health plan administrative functins.

4 Cvered entities that ut-surce sme f their business prcesses t a third party must ensure that their vendrs als have a framewrk in place t cmply with HIPAA requirements. Cmpanies typically gain this assurance thrugh clauses in the cntracts stating that the vendr will meet the same data prtectin requirements that apply t the cvered entity. Care must be taken t determine if the vendr further ut-surces any data handling functins t ther vendrs and mnitr whether apprpriate cntracts and cntrls are in place. A cntingency plan shuld be in place fr respnding t emergencies. Cvered entities are respnsible fr backing up their data and having disaster recvery prcedures in place. The plan shuld dcument data pririty and failure analysis, testing activities, and change cntrl prcedures. Internal audits play a key rle in HIPAA cmpliance by reviewing peratins with the gal f identifying ptential security vilatins. Plicies and prcedures shuld specifically dcument the scpe, frequency, and prcedures f audits. Audits shuld be bth rutine and event-based. Prcedures shuld dcument instructins fr addressing and respnding t security breaches that are identified either during the audit r the nrmal curse f peratins. Physical Safeguards - cntrlling physical access t prtect against inapprpriate access t prtected data Respnsibility fr security must be assigned t a specific persn r department. This respnsibility includes the management and versight f data prtectin and persnnel cnduct with respect t data prtectin. Frequently, a Chief Security Officer psitin is established t fulfill this requirement. This psitin typically reprts t executive level management. Cntrls must gvern the intrductin and remval f hardware and sftware frm the netwrk. (When equipment is retired it must be dispsed f prperly t ensure that PHI is nt cmprmised.) Access t equipment cntaining health infrmatin shuld be carefully cntrlled and mnitred. Access t hardware and sftware must be limited t prperly authrized individuals. Required access cntrls cnsist f facility security plans, maintenance recrds, and visitr sign-in and escrts. Plicies are required t address prper wrkstatin use. Wrkstatins shuld be remved frm high traffic areas and mnitr screens shuld nt be in direct view f the public. If the cvered entities utilize cntractrs r agents, they t must be fully trained n their physical access respnsibilities. Technical Safeguards - cntrlling access t cmputer systems and enabling cvered entities t prtect cmmunicatins cntaining PHI transmitted

5 electrnically ver pen netwrks frm being intercepted by anyne ther than the intended recipient Infrmatin systems husing PHI must be prtected frm intrusin. When infrmatin flws ver pen netwrks, sme frm f encryptin must be utilized. If clsed systems/netwrks are utilized, existing access cntrls are cnsidered sufficient and encryptin is ptinal. Each cvered entity is respnsible fr ensuring that the data within its systems has nt been changed r erased in an unauthrized manner. Data crrbratin, including the use f check sum, duble-keying, message authenticatin, and digital signature may be used t ensure data integrity. Cvered entities must als authenticate entities it cmmunicates with. Authenticatin cnsists f crrbrating that an entity is wh it claims t be. Examples f crrbratin include: passwrd systems, tw r threeway handshakes, telephne callback, and tken systems. Cvered entities must make dcumentatin f their HIPAA practices available t the gvernment t determine cmpliance. In additin t plicies and prcedures and access recrds, infrmatin technlgy dcumentatin shuld als include a written recrd f all cnfiguratin settings n the cmpnents f the netwrk because these cmpnents are cmplex, cnfigurable, and always changing. Dcumented risk analysis and risk management prgrams are required. Cvered entities must carefully cnsider the risks f their peratins as they implement systems t cmply with the act. (The requirement f risk analysis and risk management implies that the act s security requirements are a minimum standard and places respnsibility n cvered entities t take all reasnable precautins necessary t prevent PHI frm being used fr nn-health purpses.) Legislative infrmatin Huse: 104 H.R. 3103, H. Rept , Pt. 1, H. Rept Senate: 104 S. 1028, 104 S. 1698, S. Rept Law: Pub. L , 110 Stat HHS Privacy Rule: 45 CFR 160, 45 CFR 164