
HIPPA was enacted in 1996 with the goal of making health care in America more streamlined, efficient, and secure. This article discusses the history of HIPAA, breaks the law down into its component parts, and gives insight into how to comply. Watch the video below or find the exact section you are interested in the transcript.
Video Transcription
Why HIPAA Was Created
HIPAA’s History
Originally known as the Kennedy-Kassebaum Bill, the Health Insurance Portability and Accountability Act, or HIPAA, is a set of regulations that became law in the mid-1990s.
Why HIPAA’s Important
HIPAA is a set of health care regulations with a two-pronged purpose:
- Help patients’ health insurance move with them and streamline the transfer of medical records from one health care institution to another
- Create standards for managing medical records to protect and enforce patient’s’ right to have their medical records and personal health information (PHI) kept private
HIPAA: When and Why
Why Healthcare Needed HIPAA
The roots of HIPAA stem from the 1990s when it first became apparent that the healthcare industry would become more efficient by computerizing medical records.
When HIPAA was passed in 1996, it included standards and rules that focused on regulating healthcare data management in terms of the portability of patient health information and the protection of a patient’s right to medical privacy.
HIPAA’s Timeline
-
- In 1996 HIPAA was enacted by Congress
- In 2000 the Transaction and Code Sets Rule was added
- In 2000 Congress passed the Privacy Rule
- In 2003 the Security Rule took effect
- In 2006 the Enforcement Rule was enacted
- In 2006 the National Provider Identifier (NPI) Rule was added
The result of concerns for protecting patient privacy, HIPAA was passed by Congress and signed by President Bill Clinton in 1996.
HIPAA’s Regulations
Titles of HIPAA
HIPAA is a series of regulations governing the transfer of medical information—particularly its modernization with growing use of electronic health record (EHR) systems.
To specifically address the issues of privacy rights and health insurance portability for patients, HIPAA is broken up into multiple titles.
HIPAA Title I
HIPAA Title I is known as “Health Care Access, Portability, and Renewability” and deals with health care plans and policies.
Title I regulates the amount of “exclusion period”, or time, that health insurers can delay coverage for pre-existing conditions, and gives options for policyholders to reduce the exclusion period.
Title I also enables people to carry their insurance from one job to the next.
HIPAA Title II
Title II is the Administrative Simplification (AS) provisions and is otherwise known as “Preventing Health Care Fraud and Abuse.”
It’s made up of the five separate rules that have been added to HIPAA over time:
-
- Privacy Rule
- Transactions and Code Sets Rule
- Security Rule
- National Provider Identifiers Rule
- Enforcement Rule
Privacy Rule
The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by “covered entities” (examples include employer-sponsored health plans and health insurers).
As implied it sets requirements for covered entities for keeping PHI private, but with the Omnibus Rule update in 2013, HIPAA now applies to the independent contractors employed by covered entities, otherwise known as “business associates.”
Transactions and Code Sets Rule
HIPAA and the Transactions and Code Sets Rule was intended to improve the efficiency of the American healthcare system and by standardizing health care transactions.
By requiring all health plans to engage in healthcare transactions in a standardized way, this set of standards helps to simplify healthcare transactions across the industry.
Security Rule
The HIPAA Security Rule goes hand-in-hand with the Privacy Rule in terms of protecting patient information.
The Privacy Rule covers both paper and electronic PHI, the Security Rule specifically addresses keeping Electronic Protected Health Information (EPHI) secure.
To comply with the Security Rule three types of EPHI security safeguards are required: administrative, physical, and technical.
National Provider Identifier Rule
The National Provider Identifier (NPI) Rule builds on other HIPAA rules for improving the efficiency of healthcare transactions.
Under NPI, all covered entities using electronic communications (such as physicians, hospitals, and health insurance companies) must use a single new NPI number that is unique to the provider.
With the NPI Rule, healthcare providers who complete electronic transactions and large health plans like Medicare are only allowed to use NPI numbers to identify covered providers.
Enforcement Rule
In 2006 the final HIPAA rule, the “Enforcement Rule”, was passed to address HIPAA enforcement by setting civil money penalties and investigation procedures for HIPAA violations.
Up till then, there had been relatively few violation prosecutions, but after the Enforcement Rule, this number has drastically increased. As of 2013, the HHS had investigated 19,306 noncompliance cases.
HIPAA Compliance
Medical Record Retention
PHI TYPE |
RETENTION PERIOD |
Diagnostic Images (Adults) | 5 Years |
Diagnostic Images (Minors) | 5 Years after age of majority |
Patient Health/Medical Records (Adults) | 10 years after latest encounter |
Patient Health/Medical Records (Minors) | Age of majority plus statute of limitations |
Disease Index | 10 years |
Master Patient/Person Index | Permanently |
Operative Index | 10 years |
Physician Index | 10 years |
Fetal Heart Monitor Records | 10 years after age of majority |
Register of Births | Permanently |
Register of Deaths | 50 years after death |
Register of Surgical Procedures | Permanently |
Compliance Requirements
To comply with all of HIPAA’s different patient privacy regulations, there are several steps that healthcare providers and insurance companies have to take:
Companies must have a HIPAA Compliance Officer who has taken a HIPAA compliance course. They will be the one who is responsible for staying on top of HIPAA requirements and company compliance.
- Employees need to be kept up to date on policies that pertain to the organization. This may also require ongoing training for the staff.
- To safeguard patient data against unauthorized access and disclosure, HIPAA requires implementing security measures that are adequate to prevent physical and network-based intrusions.
- In the event of a security breach, organizations are required by law to report the incident and to inform those patients an individuals whose information may be affected.
HIPAA Non-Compliance
Pay the Price for Noncompliance
VIOLATION TYPE |
MINIMUM CIVIL PENALTY |
MAXIMUM CIVIL PENALTY |
Unknowing violation | $100 per violation with an annual maximum of $25,000 for repeat violations | $50,000 per violation with an annual maximum of $1.5 million |
Violation from reasonable cause | $1,000 per violation with an annual maximum of $100,000 for repeat violations | $50,000 per violation with an annual maximum of $1.5 million |
Violation due to willful neglect | $10,000 per violation with an annual maximum of $250,000 for repeat violations | $50,000 per violation with an annual maximum of $1.5 million |
Violation due to willful neglect – not corrected | $50,000 per violation with an annual maximum of $1,000,000 for repeat violations | $50,000 per violation with an annual maximum of $1.5 million |
HIPAA Compliant Medical Record Storage: Top Options
There are several medical record storage and management options a practice can take to comply with HIPAA laws and regulations, including:
Offsite Medical Records Storage: Records are kept at a pre-screened, HIPAA-compliant storage facility. All records are guarded and protected from fire and flood damage, and some facilities manage retention
- Medical Record Scanning: A HIPAA and HITECH-compliant medical records imaging process scans and digitizes medical records and other files. Optical character recognition (OCR) and document redaction options are also available
- Electronic Medical Record (EMR) Software: Electronic medical records replace patient records and charts. With digital copies, medical practices can more easily track, distribute, and organize records and streamline their day-to-day processes
- Electronic Health Records (EHR) Systems: A server or cloud-based document management system for storing EMRs, EHRs are more general patient medical records that are designed to be shared with multiple providers in order to simplify tracking overall patient history and prevent miscommunications between providers
Need HIPAA-Compliant Medical Record Storage?
Find options for medical records storage, scanning, and EMR/EHR systems with a nationwide network of pre-screened providers with Record Nations. Call us today at (866) 385-3706 or fill out the form on the right for free quotes on medical records storage and scanning services in your area.