HIPAA Home

HIPAAconfidentialhipaa_compliant_seal

HIPAA requires that all patients can access their own medical records, correct errors or omissions, and also be informed how their personal information is being shared. Other provisions involve notification of privacy procedures to the patient. HIPAA provisions have led, in many cases, to extensive overhauling with regard to medical records and billing systems.

HIPAA laws and regulations are divided into five rules:

  1. Privacy Rule
  2. Security Rule
  3. Transactions Rule
  4. Identifiers Rule
  5. Enforcement Rule

If you require access to your records please go here to fill out the medical records information request and release form. If you have questions please visit our FAQ page to see our HIPAA FAQ section or send us mail.


To obtain our HIPAA forms, you may follow this link.


 

5 HIPAA rules explained


HIPAA Rule #1 - Privacy

-

The HIPAA Privacy Rule is located at 45 CFR Part 160 and Part 164. The Privacy Rule establishes national standards to protect individuals medical records and other personal health information. The Privacy Rule applies to health plans, health care clearinghouses, and health care providers that conduct health care transactions electronically.

The HIPAA Privacy Rule requires appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.

The Privacy Rule also gives patients rights over their health information, including rights to examine and obtain a copy of their health records, and to request corrections.

The following HIPAA forms are associated with the Privacy Rule:

Notice of Privacy Practices (NPP) Form

Request for Access to Protected Health Information (PHI) Form

Request for Restriction of Patient Health Care Information Form

Request for Accounting Disclosures Form

Authorization for Use or Disclosure Form

Privacy Complaint Form

HIPAA Rule #2 - Security Rule and Compliance

+

The HIPAA Security Rule addresses the privacy protection of electronic protected health information (PHI). Similar to the Privacy Rule, the Security Rule also deals with identifiable health information as defined by 18 HIPAA identifiers. The Security Rule defines standards, procedures and methods for protecting electronic PHI with attention to how PHI is stored, accessed, transmitted, and audited.The HIPPA Security Rule adresses three aspects of security:

  1. Administrative Safeguards - Assignment of a HIPPA security compliance team.
  2. Physical Safeguards - Protection of electronic systems, equipment and data.
  3. Technical Safeguards - Authentication & encryption used to control data access.

Covered entities need to perform a Risk Analysis and utilize Risk Management methodologies so vulnerabilities and possible risks can be reduced. Organizations should assign a security analyst or officer who is responsible or maintaining and enforcing the HIPAA standards within the organization.

Hardware, Software and Transmission Security

Organizations should have a hardware firewall in place. Transmission of personal information should be encrypted and comply with HIPAA rulings. Operating Systems should be hardened and up to date. Policies should cover the updating of hardware, firmware, operating systems and applications.

Disaster Backup and Recovery Plan Policies and Procedures should include a Disaster Backup and Recovery plan to ensure the business can continue operations in the event of a disaster. This includes keeping the business running, recovering lost data, testing of backup procedures and replacement of equipment.

Incident Response

Policies and procedures should be implemented to include incident response. This information should be used to identify security incidents and how to respond. The security officer for the organization along with management should evaluate the effects of any incidents. Documentation of any incidents should be made along with the outcomes for the possible modification of the policies to prevent any further incidents.

Training of Workforce

Organizations should provide a training program to raise awareness of HIPAA rights. Every individual in the organization must be trained on a regular basis. Training should be provided to include employee awareness, password safeguarding and changing, workstation access, software use, virus and malware information and other mission critical operations.

Records and Information Access

Policies should define roles on who can have what access to programs and information. These policies should further define the roles in information technology of the IT personnel who have the rights to modify the access.

Audit Methods

Audit mechanisms should be in place for all hardware, software and data control.

HIPAA Rule #3 - Transaction & Code Sets

+

Per HIPAA regulations, a Code Set is any set of codes used for encoding data elements, such as medical terms, medical concepts, medical diagnosis codes, and medical procedure codes. Code sets for medical data are required for administrative transactions under HIPAA for diagnoses, procedures, and drugs.

Medical data code sets used in the health care industry under HIPAA include coding systems for health-related problems and their manifestations; causes of injury, disease or impairment; actions taken to prevent, diagnose, treat, or manage diseases, injuries, and impairments; and any substances, equipment, supplies, or other items used to perform these actions.

Specifically, the following code sets are used in HIPAA transactions:

  • ICD-9-CM codes
  • ICD-10-CM codes
  • HCPCS Codes
  • CPT-3 Codes
  • CPT-4 Codes
  • NDC codes


HIPAA 5010 (Jan 1, 2014)

The Secretary of the Department of Health and Human Services (HHS) has adopted Accredited Standards Committee X12 Version 5010 as the next HIPAA standard used to regulate the electronic transmission of healh-care transactions. The final rule was published Jan. 16, 2014. The prior standard for HIPAA transactions was Version 4010A1.

Covered entities, such as health plans, health care clearinghouses, and health care providers, are required to conform to HIPAA 5010 standards. The compliance deadline for HIPAA 5010 is January 1, 2014.

HIPAA Rule #4 - Unique Identifiers

+

As part of the HIPAA Administrative Simplification regulation, there are currently three unique identifiers used for covered entities in HIPAA administrative and financial transactions. The use of these unique identifiers will promote standardization, efficiency and consistency.

The unique identifiers under HIPAA regulations are:

Standard Unique Employer Identifier

The same as the Employer Identification Number (EIN) used on an organization's federal IRS Form W-2. This identifies an employer entity in HIPAA transactions.

National Provider Identifier (NPI)

NPI is a unique 10-digit number used for covered health-care providers in all HIPAA administrative and financial transactions.

National Health Plan Identifier (NHI)

The NHI is a Centers for Medicare & Medicaid Services (CMS) proposed identifier to identify health plans and payers.

HIPAA Rule #5 - Enforcement Rule and Compliance

+

The HIPAA Enforcment Rule stems directly from the ARRA HITECH Act provisions that distinguishes between violations occurring before, and on or after the compliance date of Feb. 18, 2014 "with respect to the potential amount of civil money penalty and the affirmative defense available to covered entities," according to the rule.

ARRA describes "improvements" to existing HIPAA law, covered entities, business associates and others will be subject to more rigorous standards when it comes to protected health information (PHI) The HITECH Act expands the scope of the HIPAA Privacy and Security Rules and increases the penalties for HIPAA violations.

Specificially, the HITECH Act addresses five main areas of the HIPAA regulations:

  1. Applies the same HIPAA privacy and security requirements (and penalties) for covered entities to business associates
  2. Establishes mandatory federal privacy and security breach reporting requirements for HIPAA covered entities and business associates
  3. Creates new privacy requirements for HIPAA covered entities and business associates, including new accounting disclosure requirements and restrictions on sales and marketing
  4. Establishes new criminal and civil penalties for HIPAA non-compliance and new enforcement methods
  5. Mandates that the new security requirements must be incorporated into all Business Associate contracts

HIPAA GLOSSARY OF TERMS


Business Associate (BA)

A person or organization that performs a function or activity on behalf of a covered entity, but is not part of the covered entity's workforce. A business associate can also be a covered entity in its own right

Code Set

Any set of codes used to encode data elements, such as tables of terms, medical concepts, medical diagnostic codes, or medical procedure codes. This includes both the codes and their descriptions.

Covered Entity (CE)

Any business entity that must comply with HIPAA regulations, which includes health-care providers, health plans and health-care clearinghouses. For purposes of HIPAA, health-care providers include hospitals, physicians and other caregivers.

Current Procedural Terminology (CPT)

A 5-digit code used in medical billing and records systems that defines the medical procedures and medical services provided.

Electronic Data Interchange (EDI)

X12 and similar formats for the electronic exchange of structured data. It is sometimes used more broadly to mean any electronic exchange of formatted data.

Electronic Health Record (EHR)

An electronic record of health-related information on an individual that conforms to nationally recognized interoperability standards and that can be created, managed, and consulted by authorized clinicians and staff across more than one health care organization.

Electronic Medical Record (EMR)

An electronic record of health-related information on an individual that can be created, gathered, managed, and consulted by authorized clinicians and staff within one health-care organization.

HCFA Common Procedural Coding System (HCPCS)

A medical coding system used to describe what treatment or services were provided by a physician. The HCPCS Level II Coding books contain codes and descriptions for durable medical goods, injections, supplies and services not listed by CPT Coding books.

Health Level Seven (HL7)

A data exchange protocol and interface for medical records and billing software that allows different systems to interoperate.

ICD-9 (International Classification of Diseases)

The 9th edition numerical code set used in medical billing describing a diagnosis or medical procedure to treat a disease, syndrome or disorder.

ICD-10 (International Classification of Diseases)

The 10th edition numerical code set that is the successor to ICD-9.

National Drug Code (NDC)

A medical code set that identifies prescription drugs and some over the counter products, and that has been selected for use in the HIPAA transactions

Personal Health Record (PHR)

An electronic record of health-related information on an individual that conforms to nationally recognized interoperability standards and that can be drawn from multiple sources while being managed, shared, and controlled by the individual.

Trading Partner Agreement (TPA)

An agreement related to the exchange of information in electronic transaction between each party to the agreement.

X12

ANSI-accredited group that defines EDI standards for many American industries, including health care insurance. Most of the electronic transaction standards mandated or proposed under HIPAA are X12 standards.

HIPAA Data Security

HIPAA Data Security: Encryption & Destruction

Here are some of the more commonly-asked questions over time pertaining to HIPAA compliance:

HIPAA data security compliance spans computer hard drives, media and paper documents. Each must have it's own plan to maintain data lifecycle privacy from encryption, retention and retirement (destruction). Some healthcare entities choose to do their data destruction in-house while others will outsource this to various data destruction companies that also other governmental agencies.

HIPAA Data Encryption

To meet HIPAA regulations, all computer hard drives must be NIST-certified and use AES hardware encryption with two-key access to read/write data on the hard drive.

HIPAA Data Destruction

High-Security Paper Shredding

To meet HIPAA regulations, all HIPPA-compliant paper shredders must be designated High Security, which means they are NSA and DoD approved to produce "unreconstructible" paper segments.

Hard Disk Destruction

To meet HIPAA regulations, all hard drives and media disks that will be taken out of use must first be degaussed and then "destroyed" as per NSA and DoD certification. Hard drive destruction involves physical bending, mangling, and breaking of the drive units so that the disks inside cannot possibly be spun up or read from.

There are hard disk "Destroyer" products available on the market that meet HIPPA regulations for data destruction compliance.


HIPAA and the HITECH Act

The American Recovery and Reinvestment Act of 2014 includes the Health Information Technology for Economic and Clinical Health (HITECH) Act.

The HITECH Act provides Medicare and Medicaid monetary incentives for hospitals and physicians to adopt electronic health records (EHRs) and also provides grants for the development of a health information exchange (HIE). These incentives and grants were created to stimulate health care providers to adopt technology necessary to improve the efficiency of patient healthcare.

HITECH Act provides over $30 billion for healthcare infrastructure and the adoption of electronic health records (EHR). According to the Act, physicians are eligible to receive up to $44,000 per physician from Medicare for "meaningful use" of a certified EHR system starting in 2014.

ARRA describes "improvements" to existing HIPAA law, covered entities, business associates and others will be subject to more rigorous standards when it comes to protected health information (PHI) The HITECH Act expands the scope of the HIPAA Privacy and Security Rules and increases the penalties for HIPAA violations.


How HITECH effects HIPAA

Specificially, the HITECH Act addresses five main areas of the HIPAA regulations:

  1. Applies the same HIPAA privacy and security requirements (and penalties) for covered entities to business associates
  2. Establishes mandatory federal privacy and security breach reporting requirements for HIPAA covered entities and business associates
  3. Creates new privacy requirements for HIPAA covered entities and business associates, including new accounting disclosure requirements and restrictions on sales and marketing
  4. Establishes new criminal and civil penalties for HIPAA non-compliance and new enforcement methods
  5. Mandates that the new security requirements must be incorporated into all Business Associate contracts


GAMMA HEALTHCARE, INC.


MAIN OFFICE
1717 West Maud Poplar Bluff, MO 63901 
Phone: (573) 727-5600
Administration Fax: (573) 785-0753
Customer Service Fax: (573) 785-2369
Front Desk Fax: (573) 727-5686
Billing Fax: (573) 785-0125
HR Fax: (573) 727-5627
Lab/Processing Fax: (573) 727-5689

Privacy Practices
Customer Satisfaction Survey

COMPANY NEWS