In 1996, the US Congress legislated HIPAA (Health Insurance Portability and Accountability Act) to define a necessary national standard for heightened privacy and security of confidential health information. This act mandates all health plans, healthcare services and healthcare providers operating anywhere in the United States to adhere to the minimum standards defined therein.
The security and privacy regulations stipulated by HIPAA require all entities under its gamut such as hospitals, healthcare units, etc. and business associates to implement appropriate procedures and policies to adequately safeguard medical information, whether shared in verbal or electronic form.
This facilitates the protection of sensitive patient information such as their physical and mental health etc. HIPAA compliance is binding on every healthcare center working with patients and maintaining their health records.
The HIPAA Privacy Rule was effective from April 14, 2003. It is applicable to all kinds of patient health information, whether stored in written, electronic or oral format. It offers federal protection to patients’ health information in the custody of all covered entities, and provides patients a range of rights concerning such information.
This rule further specifies security measures to limit access to such protected information to authorized persons only. It further specifies thorough accounting of health information disclosures and notes on practices of using and disclosing medical information.
It incorporates a ‘minimum necessary’ standard regarding the amount of information to be disclosed. Physicians, hospitals and all entities covered under this rule must restrict the information disclosed to a ‘minimum necessary’ to achieve the intended objective.
Protecting patients’ privacy is a critical component of HIPAA compliance.
The HIPAA Security Rule came into effect on April 20, 2005 for large healthcare entities and a year later for smaller health plans with $5 million or lesser annual receipts. It postulates a sequence of administrative, technical and physical safety measures for all the covered healthcare entities to assure the privacy, integrity and accessibility of secured health information stored in electronic form.
This rule plays a significant role as it is flexible and defines a security framework for healthcare service providers, both small and large. It further stresses on the importance of a written security plan that identifies and covers three vital components—administrative, technical and physical—for all the covered healthcare entities.
Preventing misuse and ensuring safety of data is yet another critical aspect of HIPAA compliance that every covered healthcare practitioner must follow strictly.
As most health information is stored in electronic form, HIPAA ensures the security of the protected health information that is electronically shared by the healthcare service provider and the health benefit plan.
HIPAA violations are dealt with seriously and an offender could be levied a fine of up to $25,000, which has recently been enhanced to $50,000. In critical cases, the services of the US DoJ (Department of Justice) are sought for conducting a criminal investigation. If convicted, violators could be jailed for up to 10 years or fined up to $250,000. In certain cases, the US HHS (Department of Health and Human Service) may investigate the matter and resolve it unofficially.
HIPAA does not differentiate between U.S. and foreign business associates and does not impose any legal restrictions on outsourcing services related to healthcare. However, organizations must be HIPAA compliant to hire offshore vendors.
The above HIPAA FAQs may have clarified most of your queries regarding HIPAA basics that impact our work with healthcare providers (clinics, hospitals, physicians) and insurance companies. Read more about how MedBillingExperts guarantees HIPAA compliance.
Contact us today with your outsourcing requirements.