HIPAA and the HITECH Act 2013 – FAQs

Breaches and health information privacy complaints are on the rise and public concern has significantly increased over recent years. Consequentially more federal and state regulations have come into place along with greater enforcement and high legal liabilities for violations of HIPAA Privacy and Security Rules. Legally, healthcare related organizations are responsible for safeguarding the privacy of patients’ protected health information (PHI).

HITECH Act and HIPAA violations and penalties caused by health data breaches can result in serious risks and costs, even for the most diligent healthcare providers. Government enforcement and data security research statistics reveal that an alarming number of healthcare organizations experience undetected breaches of patient’s PHI or have serious HIPAA privacy and security failures.

HIPAA and HITECH 101

Health Insurance Portability and Accountability Act (HIPAA) – In 1996, the Health Insurance Portability and Accountability Act or HIPAA was endorsed by the U.S. Congress. The HIPAA Privacy Rule, also called the Standards for Privacy of Individually Identifiable Health Information, provided the first nationally-recognizable regulations for the use/disclosure of an individual’s health information. Essentially, the Privacy Rule defines how covered entities use individually-identifiable health information or PHI (Personal Health Information).

Personal Health Information (PHI) is any health-related information that can be used alone or in combination with other information to identify an individual.

Everyone who comes in contact with PHI in the course of doing business must comply with HIPAA regulations. These laws apply to those who work in the healthcare industry (covered entities), organizations contracted to handle healthcare information for business purposes (business associates), and organizations who have a mix of both healthcare and business services (hybrid entities).

HIPAA is about protecting and securing Personal Health Information (PHI).

The Health Information Technology for Economic and Clinical Health Act (HITECH) expands the requirements of the HIPAA Act to offer greater safeguards for protecting personally identifiable information.

Covered Entities – includes providers, health plans, and clearinghouses. Examples of Covered Entities include:

• Hospitals
• Doctors’ offices
• Health Insurance providers

Business Associates – perform functions and services for covered entities involving the handling or use of PHI. Examples of Business Associates include:

• Legal
• IT
• Financial
• Consulting
• Billing
• Claim Services

Hybrid Entities – organizations that have a mix of both healthcare and business services. Note that hybrid entities typically build a “firewall” between their HIPAA-impacted and non-HIPAA-impacted business units to lessen the impact of HIPAA compliance. Examples of Hybrid Entities include:

• Universities (which have a health center)
• Self-insured companies (with a division that handles claims)
• Insurance companies that have multiple lines of insurance

Complying with HIPAA

HIPAA compliance is essential for any company doing business in the healthcare industry, where individuals share details of their health, personal lives and finances when they are at their most vulnerable. No matter what role a person plays in an organization, it’s important for them to receive HIPAA compliance training in order to avoid potentially costly mistakes.

HIPAA and HITECH Compliance FAQ

Q: What does it mean to be “complying with HIPAA?”

A: For companies, “Complying with HIPAA” means providing annual training to all employees on how to protect PHI and specifically on the HIPAA Privacy and Security Rules. For employees, it means following company policies related to the handling of PHI.

Q: Is there a minimum training requirement to meet HIPAA compliance?

A: The mandate to provide training is pretty vague – there are not time requirements and it can be delivered in a variety of ways. This includes online, classroom, or video. Online training enables the ability to track completions and generate and maintain reports within a learning management system (LMS). Providing a clear record of employee training to auditors is one of the key benefits of online training,

Q: Is training a one-time event or required annually?

A: Training is should be done on an annual basis.

Q: I’ve heard there are new regulations related to HIPAA and the HITECH Act. When does this go into effect?

A: In January of 2013, the Department of Health and Human Services issued a long-awaited “final ruling” on HIPAA and HITECH that clarified a number of provisions in the laws. This “Omnibus Rule” goes into effect on March 26, 2013, but Covered Entities and Business Associates don’t have to be in compliance until September 23, 2013.

Q: If an organization has already completed their HIPAA training this year will they have to complete the training again with the new HITECH regulations?

A: Yes, they will need to complete the updated training by September 23, 2013. While this is the date that has been stated, it still could be considered a grey area, but an organization won’t go wrong by training people in the new information by that date.

Q: How significant were the new HIPAA regulations for the HITECH Act?

A: The changes were relatively minor. For example, here are the key points added to our course titled Complying with HIPAA for Business Associates:

• Business associates are subject to the same fines and penalties as covered entities for complying with HIPAA.
• Updated the definition of business associates to emphasize that it includes anyone who creates, receives, maintains, or transmits PHI on behalf of a covered entity—this could be data warehouses, e-prescription and data transmission providers, as well as legal, IT, financial, consulting, billing, and claim services.
• Emphasized that individuals are subject to fines, not just organizations.
• Business associates must provide Business Associate Agreements with subcontractors that outline their PHI obligations.
• PHI cannot be disclosed by an organization to generate a profit.

Like this post? Subscribe to our blog to get content delivered to your inbox.

Learn more about safety training online.