Metrics, Reports & News » What is the Health Insurance Portability and Accountability (HIPPA) Act?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a United States federal law that requires health care organizations to “maintain reasonable and appropriate, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information.” Protected health information (PHI) includes patient medical records, patient logs, insurance, billing and other personally identifiable health information.
Who is affected?
Health care providers, health plans and health care clearinghouses in the United States are required to comply with HIPAA standards.
What does HIPAA have to do with information management?
The entire legislation addresses information management issues as do two more specific rules, the Privacy Rule and the Security Rule. Both Rules are lengthy documents available from the US Department of Health and Human Services.
The HIPAA Privacy Rule requires health care organizations to protect the use, transmission and storage of individually identifiable health information including names, contact information, license numbers, account numbers, dates of birth and other information. HIPAA compliant organizations must also designate a privacy officer and ensure all staff are trained and understand privacy issues.
The HIPAA Security Rule is effective April 2005. This rule specifies administrative, technical and physical security procedures to ensure the confidentiality, integrity and availability of electronic protected health information.
What do companies have to do to comply with HIPAA?
Under HIPAA, health care organizations must, among other steps, implement policies and procedures related to accessing information to ensure individually identifiable information is properly safeguarded and not improperly disclosed…
Under the HIPAA Privacy Rule, health care organizations are required to have Business Associate Agreements with outside suppliers that assist with activities that would give the supplier access to protected heath information. For example, companies involved in claims processing and administration, billing, transcription, legal, financial and records management services.
Criminal Penalties for non-compliance are outlined under Section 1177 of the Act:
“(a) A person who knowingly and in violation of this part: 1) uses or causes to be used a unique health identifier; 2) obtains individually identifiable health information relating to an individual; or 3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b). (b) A person described in subsection (a) shall: 1) be fined not more than $50,000, imprisoned not more than 1 year, or both; 2) if the offense is committed under false pretenses, be fined not more than $100,000, imprisoned not more than 5 years, or both; and 3) if the offense is committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, be fined not more than $250,000, imprisoned not more than 10 years, or both.”
How can we help?
While HIPAA does not mandate a method for destruction, in the introduction to the HIPAA privacy regulations, “shredding prior to disposal” is identified as an appropriate safeguard.
Capital Paper can help companies comply with the HIPPA Act by implementing a document destruction schedule and protocol to ensure the secure destruction of corporate records.
For more information:
United States Department of Health & Human Services
This document does not constitute a legal opinion or legal advice. Do not rely on any of the information in this document without first obtaining legal advice.