The Health Insurance Portability and Accountability Act (HIPAA)
was enacted by Congress in 1996 to protect health insurance coverage for workers when they change jobs, with provisions to keep medical information confidential.
Title I of HIPAA amends the Employee Retirement Income Security Act and the Public Health Service Act. This title prohibits any group health plan from making eligibility rules or evaluating premiums for people in the plan based on health status, medical history, genetic information, or disability. This title also limits restrictions a group health plan can place on benefits for already existing conditions. Group health plans can refuse to supply benefits for preexisting conditions for a period of 12 months after enrollment in the plan. Title I lets individuals reduce the exclusion period by the amount of time that they had “credible coverage” before enrolling in the plan and after any “significant breaks” in their coverage. “Credible coverage” includes most health care plans and a “significant break” is any period longer than 63 days without coverage.
In Title II the most significant provisions are the Administrative Simplification rules. These rules are aimed at increasing the efficiency of the health care system by increasing privacy of health care information. The rules apply to “covered entities” which include health plans, health care clearinghouses, and health care providers. There are five rules under Administration Simplification: the Privacy Rule, the Transactions and Code Sets Rule, the Security Rule, the Unique Identifiers Rule, and the Enforcement Rule.
The Privacy Rule
regulates the disclosure of Protected Health Information, any medical information about an individual. This part of the law is the most misinterpreted. Most people believe that they are not allowed to disclose any form of medical information about a person to anyone but the individual, but this is not the case. The process of getting your medical records
can be confusing, such as finding out who or what entities have the right to see them or disclose their contents to others. The law states that health care providers may share information with others unless the patient objects, but does not require them to do so. The Security Rule, which complements the Privacy Rule, deals specifically with safeguarding electronic protected health information
. The three types of safeguards
that require compliance are administrative, physical, and technical.
The Transactions and Code Sets Rule states that majority of medical providers that file electronically, will have to file their electronic claims using the HIPAA standards in order to be paid. The Unique Identifiers Rule requires that all covered entities using electronic forms of communication can only use one National Provider Identifier (NPI). The NPI is a 10 digit number and the last digit is a checksum, which is a sum of the digits. The Enforcement Rule administers monetary penalties for violating HIPAA and establishes procedures for violations. However, no penalty has been given in four years.
The Security and Privacy Rules have caused problems for researchers and clinical care.
These restrictions have affected researchers’ ability to perform chart-based research and the ability to evaluate patients by contacting them for follow-up. Because HIPAA is misunderstood, and there are stiff penalties for violators, physicians and medical centers may withhold information from those who have a right to access it.