HIPAA: What It Is and Why You Should Care
What Is HIPAA?
As our society becomes increasingly dependent on the flow of information in our daily lives, the ease with which such information is transmitted needs to be balanced with the concerns of privacy and security. This balance is most critical for information that relates directly to our personal livelihood and health, such as financial information and our medical records.
As one of the largest healthcare providers and information consumers in the world (with Medicare and Medicaid), the U.S. government needed to address two major issues:
Accountability. As the electronic flow and exchange of information has become more prevalent, so have fears about how such information might be used and/or abused in this information age.
Standards. Information can only be exchanged easily if standards for both the format and exchange of the data can be followed by all interested parties.
In 1996, the United States Congress passed the Healthcare Insurance Portability and Accountability Act, commonly referred to as HIPAA (pronounced HIP-uh). Through HIPAA, Congress charged the department of Health and Human Services (HHS) with addressing the information concerns facing the healthcare industry.
Some of the HIPAA rules are already in effect, others are just now coming online, and a final set is waiting in the wings. The rules published by HHS break down into four broad areas:
The Transactions Rule
The Privacy Rule
Standard Unique Employer Identifier
Provider and Health Plan Identifiers
Let's take a closer look at what has been implemented and what's coming down the road.
CAUTION
Disclaimer: The content of this article is provided for informational purposes only. The author of this article is not a lawyer, and nothing here should be construed as legal advice. For all questions regarding legal matters, you should consult an attorney, not the World Wide Web.
Timeline
Once HHS publishes a rule under HIPAA, the industry is typically given 24 months before compliance with the rule is mandatory. This is a far greater lead time than most rules, but the increased compliance time is warranted due to the complexity of implementing new information technology. Currently, the rules take effect as shown in the following table.
Rule |
Mandatory Compliance Date |
The Transactions and Code Set Standards |
October 16, 2003 |
The Privacy Rule |
April 14, 2003 |
The Security Rule |
April 21, 2005 |
Standard Unique Employer Identifier |
July 30, 2004 |
Standard Provider and Plan Identifiers |
Not yet established |
HIPAA is in the news again this summer due to the compliance date for the Standard Unique Employer Identifier, which falls under mandatory compliance on July 30. Of course, there are some exceptions for mandatory compliance, such as an exception for small plan providers or for filing for an extension.
Penalties
To ensure compliance with HIPAA and to give the legislation some teeth, it carries some harsh penalties for not being in compliance. Companies can face fines of up to $25,000 for multiple violations of HIPAA rules within a calendar year, and intentionally violating HIPAA could garner a fine of $250,000 and up to 10 years in prison.