HIPAA Administrative Simplification Statute and Rules
To improve the efficiency and effectiveness of the healthcare systems across USA, the HIPAA (Health Insurance Portability and Accountability Act) enacted in 1996, incorporated Administrative Simplification provisions that required HHS to adopt national standards for electronic healthcare transactions and code sets, unique health identifiers and security. At the same time, it was recognized that recent advancements in electronic technology could encroach upon the privacy of healthcare databases. In August 2002, Privacy rule was amended that contained national standards for the protection of individually identifiable healthcare information by three types of covered entities: health insurance plans, healthcare clearinghouses, and healthcare providers who conduct the standard health care transactions electronically. For health insurance plans, compliance with the Privacy Rule was made mandatory with effect from April 14, 2003 (April 14, 2004, for small health plans).
The HHS Office for Civil Rights is responsible for administering and enforcement of the Privacy Rule and the Security Rule. The Enforcement Rule provides guidelines for the standards pertaining to the enforcement of all the Administrative Simplification Rules. All the HIPAA Administrative Simplification Rules are located at 45 CFR Parts 160, 162 and 164.
HIPAA - Privacy Rule
The HIPAA Privacy Rule establishes national standards for ensuring protection to medical records pertaining to various individuals and miscellaneous personal health information that is applicable to health plans, health care clearinghouses, and those health care providers that conduct certain healthcare transactions electronically. The Rule requires adequate and appropriate safeguards for ensuring protection pertaining to the privacy of personal healthcare information and sets limits that includes certain terms and conditions on the uses and disclosures of such data that maybe utilized without obtaining the requisite patient authorization for the same. The Rule also confers on the patient’s exclusive rights over their healthcare data that includes rights to examine and obtain a copy of their health records and request corrections by the concerned patient.
The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164.
HIPAA - Security Rule
The HIPAA Privacy Rule is also administered and enforced by OCR (Office for Civil Rights) in addition to HHS Office for Civil Rights. This rule deals with the protection of an individual’s healthcare records by combining the authority for administration and enforcement of the Federal standards for the purpose of health information privacy and security called for HIPAA (Health Insurance Portability and Accountability Act).
The transition of authority for administration and enforcement of the Security Rule is expected to be effortless and seamless without any interruption in the management or hindrances in the processing of complaints filed prior to any transition. For the purpose of lodging complaints, consumers are required to submit HIPAA security complaints by utilization of the on-line resource – the Administrative Simplification Enforcement Tool (ASET). The security complaints may alternatively be sent to the OCR (Office for Civil Rights).
Enforcement Process
The Privacy Rule is enforced and implemented by OCR (Office for Civil Rights) in several ways:-
- by investigating the complaints filed with it
- by conducting reviews to determine if covered entities are being adhered to and in compliance with the law.
- Conducing education and outreach to the public so as to foster compliance with the requirements of Privacy Rule of HIPAA.
- OCR also works in conjunction with the Department of Justice (DOJ) to discuss and refer both – civil and criminal violations of HIPAA.
Understanding Patient Safety and Data Confidentiality
The regulation implementing the PSQIA (Patient Safety and Quality Improvement Act) of 2005, came into effect from January 19, 2009.
A voluntary reporting system has been established by PSQIA to enhance the data availability for assessing and resolving patient safety and healthcare related quality issues. To encourage the reporting system and analysis of errors pertaining to healthcare data across the databases, PSQIA manages Federal privilege and confidentiality protections regarding patient safety information defined as patient safety work product. Patient safety work product incorporates the data gathered during the entire process created during the reporting and analysis of patient safety events.
On account of the confidentiality provisions incorporated into HIPAA, this will result in substantial improvement pertaining to the outcome of patient safety data reports. This can be achieved by creating an environment wherein the healthcare providers would report and examine patient safety events in an environment without fearing increased liability of ever-pervading risks. Greater reporting and analysis of patient safety events would yield increased quantum of data, thereby delivering a comprehensive understanding of patient safety events.
In addition, OCR collaborates with AHQR (Agency for Healthcare Research and Quality) responsible for listing of patient safety organizations (PSOs), external experts established by the Patient Safety Act for collection and analysis of patient safety information.