HIPAA Compliance
HIPAA Compliance
What is HIPAA?
HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress into law in the year 1996. It is legislation that provides security provisions and data privacy in order to keep patients’ medical information safe.
HIPAA does the following:
-
Provides the ability to transfer and continue health insurance coverage for millions of American workers and their family’s when they change or lose their jobs
-
Reduces health care fraud and abuse
-
Mandates industry-wide standards for health care information on electronic billing and other processes; and
-
Requires the protection and confidential handling of protected health information
To ensure the purpose of HIPAA, Human Health Services (HHS) established the Privacy Rule and the Security Rule.
The Privacy Rule set national standards for the protection of individually identifiable health information by three types of covered entities: health plans, health care clearinghouses, and health care providers who conduct the standard health care transactions electronically. Compliance with the Privacy Rule was required as of April 14, 2003 (April 14, 2004, for small health plans).
The Security Rule sets national standards for protecting the confidentiality, integrity, and availability of electronically protected health information. Compliance with the Security Rule was required as of April 20, 2005 (April 20, 2006, for small health plans).
The Rights Privacy Rule Gives You Over Your Health Information
Health insurers and providers who are covered entities must comply with your right to:
-
Ask to see and get a copy of your health records
-
Have corrections added to your health information
-
Receive a notice that tells you how your health information may be used and shared
-
Decide if you want to give your permission before your health information can be used or shared for certain purposes, such as marketing
-
Get a report on when and why your health information was shared for certain purposes
Some Best Practices for HIPAA Compliance
-
Provide ongoing, up-to-date training on the handling of PHI for all affected employees.
-
Ensure all computers have updated anti-virus software installed. This will help keep a practice guarded against malicious software.
-
Computer programs containing patient information should be closed and logged out of when not in use. Never share passwords between employees.
-
Always properly dispose of information containing PHI by shredding paper files.
-
Keep all patient paperwork, charts, and records locked away and safe out of the public's view. Never leave patient information out or unattended.
-
Limit emailing PHI if the information can be sent another way. When faxing PHI, always use a cover sheet.
-
Make sure employees are aware that using social media to share patient information is considered a violation of HIPAA.
Additional Resources:
FERPA and HIPAA Comparison Chart
FERPA |
HIPAA |
Established by the Department of Education |
Established by the Department of Human Health and Services |
Established to protect student educational records |
Established to protect individual protected health information |
Provides privacy for student educational records |
Provides both privacy and security protection for individual protected health information |
Applies to all schools that receive funding from the Department of Education |
Applies to only schools that are covered entities or hybrid covered entities |
Both acts are designed to protect individuals' private information with the appropriate safeguards to ensure the confidentiality, integrity and availability of private information, but they operate separately. There are some over laps which turn to create confusion, especially in organizations that need to be compliant to both. Some of these over laps include:
FERPA applies to most public and private postsecondary institutions and, thus, to the records on students at the campus health clinics of such institutions. These records will be either education records or treatment records under FERPA, both of which are excluded from coverage under the HIPAA Privacy Rule, even if the school is a HIPAA covered entity, according to HHS.
If a student receives treatment at a hospital affiliated with an institution that is subject to FERPA, the records would still fall under HIPAA’s protection. However, if there are no claims filed, such health records would then be considered education or treatment records, which are covered by FERPA
If a public high school employs a health care provider that bills Medicaid electronically for services provided to a student under the idea, the school is a HIPAA covered entity and would be subject to the HIPAA requirements concerning transactions. However, if the school’s provider maintains health information only in what are education records under FERPA, the school is not required to comply with the HIPAA Privacy Rule. Rather, the school would have to comply with FERPA’s privacy requirements with respect to its education records, including the requirement to obtain parental consent (34 CFR § 99.30) in order to disclose to Medicaid billing information about a service provided to a students.
Private Information Safeguarded
FERPA PROTECTS |
HIPAA PROTECTS |
Personally identifiable information-Names, address, Social Security Number, date of birth. |
Account numbers, Biometric identifiers, including finger, retinal, and voiceprints, Certificate/license number |
Educational record- School records that are directly related to the student and kept by the educational institution. |
Full face photographic images and any comparable images, health insurance beneficiary numbers |
Health records-Immunizations, checkups, or notes and records kept by the school nurse fall under the umbrella of “educational record |
Medical record numbers Names Phone Numbers Social Security numbers Vehicle identifiers |