Health Insurance Portability & Accountability Act Update
HIPAA Privacy Rule - Effective April 14, 2003
The HIPAA Privacy Rule for the first time creates national standards to protect individuals’ medical records and other personal health information. These regulations apply to almost every physician, chiropractor, dentist, hospital, pharmacy, nursing facility and health plan in the nation.
What does the HIPAA Privacy Rule do?
 |
It gives patients more control over their health information |
|
It sets boundaries on the uses and release of health records |
|
It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information |
|
It holds violators accountable, with civil and criminal penalties that can be imposed if they violate residents’ privacy rights |
|
And it strikes a balance when public responsibility supports disclosure of some forms of data – for example, to protect public health |
HIPAA Security Rule - April 21, 2005 Compliance Date
Under the final Security Rule, published February 20, 2003, Covered Entities must establish procedures and mechanisms to protect the confidentiality, integrity and availability of protected health information in electronic form. The Security Rule dictates that a Covered Entity conduct a risk assessment to identify risks to confidentiality, integrity, and availability of Protected Health Information, and to identify existing measures to protect against them, in 22 categories (called “Standards”) of administrative, physical and technical safeguards. Based upon a risk assessment, the Covered Entity must implement a risk management plan addressing each Standard. For most Standards, the Security Rule sets forth a “Specification” or an action or process that is a safeguard against risks identified under a given Standard. Some Specifications are “Required,” meaning that the action or process must be implemented. Some Specifications are “Addressable,” meaning that the action or process is not mandatory but must be implemented unless it is reasonable and appropriate to implement an alternative that addresses the same risks.
To read the text of the final security rule on CMS’ web site, go to:
http://www.cms.gov/regulations/hipaa/cms0003-5/0049f-econ-ofr-2-12-03.pdf
Final Modifications to the Electronic Data Transaction Standards & Code Sets – April 16, 2003 Testing Deadline - October 16, 2003 Compliance Date
Modifications to a number of the electronic data transaction standards and code sets adopted as national standards under HIPAA were published on February 20, 2003. A Covered Entity must start testing software and computer systems internally no later than April 16, 2003 in order to ensure that software is capable of sending and receiving the transactions transmitted electronically in the standard HIPAA format. A Covered Entity must be ready to conduct transactions electronically in the standard HIPAA format by October 16, 2003. A Covered Entity which contracts with a third party biller or clearinghouse to conduct any covered transactions is responsible for ensuring that transactions are conducted in compliance with HIPAA. In addition, a Covered Entity must enter into a Business Associate Agreement with any parties with which it exchanges data electronically. A helpful “Provider HIPAA Readiness Checklist” for the standards is available from CMS at:
http://www.cms.gov/hipaa/hipaa2/ReadinesschkLst.pdf
To read the text of the final modifications to the transaction standards and code sets, go to:
http://www.cms.gov/regulations/hipaa/cms0003-5/0003ofr2-10.pdf
Back to Top of Page
Back to "HIPAA" Index | Back to "Update" Index
|
