Who Does HIPAA Apply To?
HIPPA applies to any health care provider (covered entity) and their suppliers and vendors (business associates) who “transmit, maintain, access or store” PHI.
HIPAA is the acronym for the Health Insurance Portability and Accountability Act that was passed by Congress in 1996 HIPAA does the following:
• Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs;
• Reduces health care fraud and abuse;
• Mandates industry-wide standards for health care information on electronic billing and other processes; and
• Requires the protection and confidential handling of protected health information.
HIPAA is divided into five titles.
Title I of HIPAA ensures and enhances insurance access, portability, and renewability.
Under this title, HIPAA provides the following new protections for millions of working Americans and their families:
Increases the ability to get health coverage when starting a new job.
Reduces the probability of losing existing health care coverage.
Helps workers maintain continuous health coverage when changing jobs.
Helps workers purchase health insurance coverage on their own if they lose coverage under an employer’s group health plan.
Title II is about preventing health care fraud and abuse;
Administrative simplification; and protecting the privacy and confidentiality of patient records and any other patient identifiable information in any media form. Administrative Simplification defines rules for transactions, privacy, and security.
Titles III, IV, and V involve the various regulatory agencies that play a role in the American health care delivery and financing. These titles are: Tax-related Health Provisions, Application and Enforcement of Group Health Insurance Requirements, and Revenue Offsets.
HIPAA Final Rule: Enforcement: Four Penalty Tiers
1: Established that the covered entity or business associate did not know and, by exercising reasonable diligence, would not have known that the covered entity or business associate violated such provision. Potential Penalties: $100-$50,000 per incident up to $1.5 million.
2: For a violation in which it is established that the violation was due to reasonable cause and not to willful neglect. Potential Potential: $1000-$50,000 per incident up to $1.5 million.
3: For a violation in which it is established that the violation was due to willful neglect and was corrected during the 30-day period beginning on the first date the covered entity or business associate liable for the penalty knew, or, would have known that the violation occurred. Potential Penalties: $10,000-$50,000 per incident up to $1.5 million.
4: For a violation in which it is established that the violation was due to willful neglect and was not corrected during the 30-day period beginning on the first date the covered entity or business associate liable for the penalty knew, or, by exercising reasonable diligence, would have known that the violation occurred. Potential Penalties: $50,000 per incident up to $1.5 million.
The Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) establishes, for the first time, a set of national standards for the protection of certain health information. The U.S. Department of Health and Human Services (“HHS”) issued the Privacy Rule to implement the requirement of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used. Within HHS, the Office for Civil Rights (“OCR”) has responsibility for implementing and enforcing the Privacy Rule with respect to voluntary compliance activities and civil money penalties.