HIPAA requires that all patients can access their own medical records, correct errors or omissions, and also be informed how their personal information is being shared. Other provisions involve notification of privacy procedures to the patient. HIPAA provisions have led, in many cases, to extensive overhauling with regard to medical records and billing systems.
HIPAA laws and regulations are divided into five rules:
- Privacy Rule
- Security Rule
- Transactions Rule
- Identifiers Rule
- Enforcement Rule
If you require access to your records please go here to fill out the medical records information request and release form. If you have questions please visit our FAQ page to see our HIPAA FAQ section or send us mail.
HIPAA Rule #1 - Privacy-
The HIPAA Privacy Rule is located at 45 CFR Part 160 and Part 164. The Privacy Rule establishes national standards to protect individuals medical records and other personal health information. The Privacy Rule applies to health plans, health care clearinghouses, and health care providers that conduct health care transactions electronically.
The HIPAA Privacy Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.
The Privacy Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.
The following HIPAA forms are associated with the Privacy Rule:
Notice of Privacy Practices (NPP) Form
Request for Access to Protected Health Information (PHI) Form
Request for Restriction of Patient Health Care Information Form
Request for Accounting Disclosures Form
Authorization for Use or Disclosure Form
Privacy Complaint Form
HIPAA Rule #2 - Security Rule and Compliance+
The HIPAA Security Rule addresses the privacy protection of electronic protected health information (PHI). Similar to the Privacy Rule, the Security Rule also deals with identifiable health information as defined by 18 HIPAA identifiers. The Security Rule defines standards, procedures and methods for protecting electronic PHI with attention to how PHI is stored, accessed, transmitted, and audited.The HIPPA Security Rule adresses three aspects of security:
- Administrative Safeguards - Assignment of a HIPPA security compliance team.
- Physical Safeguards - Protection of electronic systems, equipment and data.
- Technical Safeguards - Authentication & encryption used to control data access.
Covered entities need to perform a Risk Analysis and utilize Risk Management methodologies so vulnerabilities and possible risks can be reduced. Organizations should assign a security analyst or officer who is responsible or maintaining and enforcing the HIPAA standards within the organization.
Hardware, Software and Transmission Security
Organizations should have a hardware firewall in place. Transmission of personal information should be encrypted and comply with HIPAA rulings. Operating Systems should be hardened and up to date. Policies should cover the updating of hardware, firmware, operating systems and applications.
Disaster Backup and Recovery Plan Policies and Procedures should include a Disaster Backup and Recovery plan to ensure the business can continue operations in the event of a disaster. This includes keeping the business running, recovering lost data, testing of backup procedures and replacement of equipment.
Policies and procedures should be implemented to include incident response. This information should be used to identify security incidents and how to respond. The security officer for the organization along with management should evaluate the effects of any incidents. Documentation of any incidents should be made along with the outcomes for the possible modification of the policies to prevent any further incidents.
Training of Workforce
Organizations should provide a training program to raise awareness of HIPAA rights. Every individual in the organization must be trained on a regular basis. Training should be provided to include employee awareness, password safeguarding and changing, workstation access, software use, virus and malware information and other mission critical operations.
Records and Information Access
Policies should define roles on who can have what access to programs and information. These policies should further define the roles in information technology of the IT personnel who have the rights to modify the access.
Audit mechanisms should be in place for all hardware, software and data control.
HIPAA Rule #3 - Transaction & Code Sets+
Per HIPAA regulations, a Code Set is any set of codes used for encoding data elements, such as medical terms, medical concepts, medical diagnosis codes, and medical procedure codes. Code sets for medical data are required for administrative transactions under HIPAA for diagnoses, procedures, and drugs.
Medical data code sets used in the health care industry under HIPAA include coding systems for health-related problems and their manifestations; causes of injury, disease or impairment; actions taken to prevent, diagnose, treat, or manage diseases, injuries, and impairments; and any substances, equipment, supplies, or other items used to perform these actions.
Specifically, the following code sets are used in HIPAA transactions:
- ICD-9-CM codes
- ICD-10-CM codes
- HCPCS Codes
- CPT-3 Codes
- CPT-4 Codes
- NDC codes
HIPAA 5010 (Jan 1, 2014)
The Secretary of the Department of Health and Human Services (HHS) has adopted Accredited Standards Committee X12 Version 5010 as the next HIPAA standard used to regulate the electronic transmission of healh-care transactions. The final rule was published Jan. 16, 2014. The prior standard for HIPAA transactions was Version 4010A1.
Covered entities, such as health plans, health care clearinghouses, and health care providers, are required to conform to HIPAA 5010 standards. The compliance deadline for HIPAA 5010 is January 1, 2014.
HIPAA Rule #4 - Unique Identifiers+
As part of the HIPAA Administrative Simplification regulation, there are currently three unique identifiers used for covered entities in HIPAA administrative and financial transactions. The use of these unique identifiers will promote standardization, efficiency and consistency.
The unique identifiers under HIPAA regulations are:
Standard Unique Employer Identifier
The same as the Employer Identification Number (EIN) used on an organization's federal IRS Form W-2. This identifies an employer entity in HIPAA transactions.
National Provider Identifier (NPI)
NPI is a unique 10-digit number used for covered health-care providers in all HIPAA administrative and financial transactions.
National Health Plan Identifier (NHI)
The NHI is a Centers for Medicare & Medicaid Services (CMS) proposed identifier to identify health plans and payers.
HIPAA Rule #5 - Enforcement Rule and Compliance+
The HIPAA Enforcment Rule stems directly from the ARRA HITECH Act provisions that distinguishes between violations occurring before, and on or after the compliance date of Feb. 18, 2014 "with respect to the potential amount of civil money penalty and the affirmative defense available to covered entities," according to the rule.
ARRA describes "improvements" to existing HIPAA law, covered entities, business associates and others will be subject to more rigorous standards when it comes to protected health information (PHI) The HITECH Act expands the scope of the HIPAA Privacy and Security Rules and increases the penalties for HIPAA violations.
Specificially, the HITECH Act addresses five main areas of the HIPAA regulations:
- Applies the same HIPAA privacy and security requirements (and penalties) for covered entities to business associates
- Establishes mandatory federal privacy and security breach reporting requirements for HIPAA covered entities and business associates
- Creates new privacy requirements for HIPAA covered entities and business associates, including new accounting disclosure requirements and restrictions on sales and marketing
- Establishes new criminal and civil penalties for HIPAA non-compliance and new enforcement methods
- Mandates that the new security requirements must be incorporated into all Business Associate contracts
HIPAA GLOSSARY OF TERMS
Business Associate (BA)
A person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity's workforce. A business associate can also be a covered entity in its own right
Any set of codes used to encode data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes. This includes both the codes and their descriptions.
Covered Entity (CE)
Any business entity that must comply with HIPAA regulations, which includes health-care providers, health plans and health-care clearinghouses. For purposes of HIPAA, health-care providers include hospitals, physicians and other caregivers.
Current Procedural Terminology (CPT)
A 5-digit code used in medical billing and records systems that defines the medical procedures and medical services provided.
Electronic Data Interchange (EDI)
X12 and similar formats for the electronic exchange of structured data. It is sometimes used more broadly to mean any electronic exchange of formatted data.
Electronic Health Record (EHR)
An electronic record of health-related information on an individual that conforms to nationally recognized interoperability standards and that can be created, managed, and consulted by authorized clinicians and staff across more than one health care organization.
Electronic Medical Record (EMR)
An electronic record of health-related information on an individual that can be created, gathered, managed, and consulted by authorized clinicians and staff within one health-care organization.
HCFA Common Procedural Coding System (HCPCS)
A medical coding system used to describe what treatment or services were provided by a physician. The HCPCS Level II Coding books contain codes and descriptions for durable medical goods, injections, supplies and services not listed by CPT Coding books.
Health Level Seven (HL7)
A data exchange protocol and interface for medical records and billing software that allows different systems to interoperate.
ICD-9 (International Classification of Diseases)
The 9th edition numerical code set used in medical billing describing a diagnosis or medical procedure to treat a disease, syndrome or disorder.
ICD-10 (International Classification of Diseases)
The 10th edition numerical code set that is the successor to ICD-9.
National Drug Code (NDC)
A medical code set that identifies prescription drugs and some over the counter products, and that has been selected for use in the HIPAA transactions
Personal Health Record (PHR)
An electronic record of health-related information on an individual that conforms to nationally recognized interoperability standards and that can be drawn from multiple sources while being managed, shared, and controlled by the individual.
Trading Partner Agreement (TPA)
An agreement related to the exchange of information in electronic transaction between each party to the agreement.
ANSI-accredited group that defines EDI standards for many American industries, including health care insurance. Most of the electronic transaction standards mandated or proposed under HIPAA are X12 standards.