HIPAA
When Congress passed the Health Insurance Portability and Accountability Act ("HIPAA") in 1996, it focused on the efficiencies that would be created through the standardization of electronic transactions between members of the health care industry. The Administrative Simplification provisions of HIPAA are designed to provide uniformity in the way that health care providers electronically submit claims to health insurers for payment; that insurers coordinate benefit payments among one another; that providers seek referral certification from insurers; and that employers forward premium payments to insurers. The standardization of these common transactions promises new efficiencies and cost-savings in the coming years for the health care industry.
Along the way to enacting the standardization principles of HIPAA, concern arose about the privacy of the individually identifiable health information that is transmitted in the standardized transactions and used by players in the health care industry on a day-to-day basis. Privacy advocates pushed for national protection for individually identifiable health information and Congress responded in HIPAA. Congress gave itself 36 months after the enactment of HIPAA to enact additional legislation "governing standards with respect to the privacy of individually identifiable health information." When Congress failed to pass privacy legislation, the task of formulating privacy standards fell to the Secretary of Health and Human Services.
HHS Secretary Donna Shalala issued the final Privacy Regulations in the waning days of the Clinton Administration in 2000. Although the new Bush Administration initially put the Privacy Regulations on hold, it eventually allowed them to become final with some relatively minor modifications, the most recent of which were published on August 14, 2002.
The final Privacy Regulations and their accompanying commentary take up over 400 pages in the Federal Register. The proposed versions of the Regulations and accompanying commentary comprise hundreds of more pages. The Regulations detail how affected organizations – "Covered Entities" in HIPAA parlance – may use and disclose individuals' health information. The Regulations detail uses and disclosures that run the gamut from treating patients, to making health plan claims determinations, to conducting research, to responding to subpoenas. They also confer rights on individuals with respect to their own health information that is held by Covered Entities – rights that include accessing, copying, amending, and receiving an accounting of disclosures of their health information. Thus, the privacy of health information – almost an afterthought when HIPAA was passed in 1996 – has become the proverbial tail that wags the Administrative Simplification dog of HIPAA. It presents important compliance challenges to Covered Entities.
Most covered entities must comply with HIPAA's privacy standards by April 14, 2003 (although smaller health plans have until April 14, 2003). Most covered entities must comply with the standard transaction regulations by October 16, 2003 and until April21, 2005 to comply with HIPAA's security standards.
Ice Miller's HIPAA team has followed the evolution of HIPAA's security, transaction, and privacy regulations since they appeared in proposed form in 1998. It assists health care providers and employer-sponsored group health plans (and their respective contractors and vendors) formulate plans to comply with HIPAA's complicated regulatory scheme. Analyzing uses of health information, training employees, developing policies and procedures, and drafting notices and contracts are just a few of the ways Ice Miller's HIPAA team assists providers and plans. For more information, please contact a member of our HIPAA team and visit our HIPAA Resource Center.