Health Insurance Portability and Accountability Act

From LIMSWiki
Revision as of 18:40, 12 February 2015 by Shawndouglas (talk | contribs) (Added history. Saving and adding more.)
Jump to navigationJump to search

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted by the United States Congress and signed by President Bill Clinton in 1996. Its intended purpose was "to improve portability and continuity of health insurance coverage in the group and individual markets; to combat waste, fraud, and abuse in health insurance and health care delivery; to promote the use of medical savings accounts; to improve access to long-term care services and coverage; [and] to simplify the administration of health insurance."[1]

History

In 1994, U.S. President Bill Clinton attempted to overhaul the national health care system but didn't receive the support he needed. In 1995, Senators Nancy Kassebaum (R-KS) and Edward Kennedy (D-MA) introduced a comparatively pared down proposal called the Health Insurance Reform Act of 1995 (S 11028), later referred to informally as the Kassebaum/Kennedy Bill. The proposal called for health insurance portability for employees, medical savings accounts, increased deductibility of health insurance for the self-employed, and tax breaks for long-term care insurance.[2][3] The legislation successfully made it out of the Senate Labor and Human Resources Committee on August 2, 1995[4], only to be stalled "because of opposition from conservative senators who shared industry concerns over the group-to-individual portability provisions."[2]

With desire to get some sort of health care reform legislation passed, Clinton referenced the stalled bill in his January 1996 State of the Union address on several occasions. Though some feared the ploy by Clinton would ultimately sink the bill, it inevitably resulted in bipartisan cooperation so no one side could take credit for the bill.[4] On February 7, 1996, the two parties agreed to further discuss the legislation in the House and Senate. This resulted in several events: the House of Representatives created an alternative bill (HR 3103) that drew on characteristics of S 11028, passing on March 28; the Senate passed a version of the original S 11028 on April 23 but without controversial attachments like medical savings accounts. However, differences between the House and Senate bills caused problems. "The House bill, for example, included provisions allowing for medical savings accounts, a limit on monetary damages in medical malpractice lawsuits and a reduction in states' authority to regulate health insurance purchasing pools created by small businesses."[2] Additionally, a provision on mental health coverage was found on the Senate bill that was omitted from the House version. It took several weeks of debating to make concessions on these topics.

A Republican-led compromise was offered on June 10, however debate raged on. It wasn't until a July 25 compromise between Kennedy and Ways and Means Committee Chairman Bill Archer (R-TX) on medical savings accounts that momentum shifted. Provisions on mental illness and medical malpractice were eventually dropped from the proposal on July 31, with both House and Senate agreeing on the final version on August 1 and August 2 respectively.[2] On August 21, 1996, the legislation was signed into law by President Clinton and codified as Public Law 104-191, the Health Insurance Portability and Accountability Act of 1996.[5][1]

Structure

HIPAA is divided into five titles:

Title I: Health Care Access, Portability, and Renewability

Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform

Title III: Tax-Related Health Provisions

Title IV: Application and Enforcement of Group Health Plan Requirements

Title V: Revenue Offsets

Description

Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs.

Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.[6] Title II also addresses the security and privacy of health data, with the intend of improving the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the U.S. health care system.

Enforcement

On February 16, 2006, HHS issued the Final Rule regarding HIPAA enforcement. It became effective on March 16, 2006. The Enforcement Rule set civil money penalties for violating HIPAA rules and established procedures for investigations and hearings for HIPAA violations. Before the enforcement rule, the deterrent effects of the legislation seemed negligible, with few prosecutions for violations.[7] Enforcement operations were ratcheted up further with the passage of the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009, which greatly increased the financial penalties that could be applied to entities in non-compliance.[8]

By the end of 2014, the U.S. Department of Health and Human Resources (HHS) reported investigating 106,522 HIPAA complaints against national pharmacy chains, major health care centers, insurance groups, hospital chains and other small providers since April 2003. The HHS reported 23,314 of those cases had been resolved by requiring changes in privacy practice or by corrective action. 10,566 cases were investigated and found that HIPAA was followed correctly. Another 68,412 cases were found to be ineligible for enforcement because, for example, a violation occurred before HIPAA became effective, a case was withdrawn by the pursuer, or an activity did not actually violate the rules.[9]

According to the HHS, the most commonly investigated compliance issue, by order of frequency, have been[9]:

  1. incorrectly used or revealed protected health information (PHI);
  2. insufficient protection mechanisms for PHI;
  3. insufficient mechanisms for patients to access their PHI;
  4. insufficient administrative protections and tools for managing electronic PHI; and
  5. usage and disclosure of more PHI than minimally necessary.

The HHS also stated the entities most likely to be responsible for infractions, by order of frequency, have been[9]:

  1. private practices;
  2. general hospitals;
  3. outpatient facilities;
  4. pharmacies; and
  5. health plans (group health plans and health insurance issuers).

Assessed impact

The enactment of HIPAA caused major changes in the way physicians and medical centers operate. The complex legalities and potentially stiff penalties associated with HIPAA, as well as the increase in paperwork and the cost of its implementation, were causes for concern among physicians and medical centers. Many of those concerns were expressed in an August 2006 paper published in the journal Annals of Internal Medicine.[10] It mentioned a University of Michigan study that demonstrated how the implementation of the HIPAA Privacy rule resulted in a drop from 96 percent to 34 percent in the proportion of follow-up surveys completed by study patients being followed after a heart attack.[11]

By 2013, views on the impact of HIPAA were mixed. Leon Rodriguez, director of the HHS' Office for Civil Rights said of HIPAA:

Whereas many thought HIPAA would "bankrupt" healthcare, shut down research, and otherwise paralyze the industry, instead the industry has learned the benefits of the transaction and code set standards through the ease of electronic transactions. And the balance of the [HIPAA] Privacy and Security protections have paved the way to real benefits for consumers through greater access to quality care.[8]

In an article for the Houston Chronicle, writer and business consultant Lisa Dorward stated the following for patients requesting personal health information:

Direct cost to patients is minimal; health care institutions can charge the patient only for copying and postage costs for delivery of the documents. On the other hand, costs to health care providers are high and can strain already overburdened budgets. Some clinics and hospitals have had to reconstruct or remodel existing registration areas to comply with HIPAA's privacy regulations.[12]

Writing for the Loyola Consumer Law Review, attorney and legal writer Anna Colvert wrote:

Generally, HIPAA is considered a step in the right direction regarding patient privacy, and it has resulted in more descriptive and detailed privacy policies; however, it has not improved the online privacy practices of these organizations. While HIPAA is a solid foundation in protecting patients’ healthcare information there is more work to be done..."[13]

A May 2013 Computerworld reported on a survey conducted by the Ponemon Institute that found 51 percent of respondents believed "HIPAA compliance requirements can be a barrier to providing effective patient care" and 59 percent "cited the complexity of HIPAA requirements as a major barrier to modernizing the healthcare system."[14]

Audit guidelines and checklist

For those auditing computer systems and IT environments for their compliance with the Health Insurance Portability and Accountability Act and other regulations, a set of guidelines and checklist items may be useful.

Click the link above for the full set of guidelines and checklist items as they relate to HIPAA.

Further reading


References

  1. 1.0 1.1 "Public Law 104 - 191 - Health Insurance Portability and Accountability Act of 1996". U.S. Government Publishing Office. http://www.gpo.gov/fdsys/pkg/PLAW-104publ191/content-detail.html. Retrieved 11 February 2015. 
  2. 2.0 2.1 2.2 2.3 "Bill Makes Health Insurance ‘Portable’". CQ Almanac 1996 52: 6-28–6-39. 1997. http://library.cqpress.com/cqalmanac/document.php?id=cqal96-1092479. Retrieved 12 February 2015. 
  3. "S. 1028 (104th): Health Insurance Reform Act of 1995". GovTrack.us. Civic Impulse, LLC. https://www.govtrack.us/congress/bills/104/s1028. Retrieved 12 February 2015. 
  4. 4.0 4.1 Hiebert-White, Jane (September-October 1996). "Who Won What in the Kassebaum/Kennedy Struggle?" (PDF). Health Progress 77 (5). https://www.chausa.org/docs/default-source/health-progress/health-policy---who-won-what-in-the-kassebaumkennedy-struggle-pdf.pdf?sfvrsn=0. Retrieved 12 February 2015. 
  5. Starr, Paul (22 August 1996). "The Signing of the Kennedy-Kassebaum Bill". The Electronic Policy Network. Archived from the original on 29 January 1998. https://web.archive.org/web/19980129180414/http://epn.org/library/signing.html. Retrieved 12 February 2015. 
  6. "Overview HIPAA - General Information". Centers for Medicare and Medicaid Services. http://www.cms.gov/HIPAAGenInfo/. Retrieved 28 February 2012. 
  7. Stein, Rob (5 June 2006). "Medical Privacy Law Nets No Fines". The Washington Post. http://www.washingtonpost.com/wp-dyn/content/article/2006/06/04/AR2006060400672.html. Retrieved 28 February 2012. 
  8. 8.0 8.1 Solove, Daniel J. (April 2013). "HIPAA Turns 10: Analyzing the Past, Present and Future Impact". Journal of AHIMA 84 (4): 22–28. http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_050149.hcsp?dDocName=bok1_050149. Retrieved 11 February 2015. 
  9. 9.0 9.1 9.2 "Enforcement Highlights". U.S. Department of Health and Human Services. 15 January 2015. Archived from the original on 11 February 2015. https://web.archive.org/web/20150211170207/http://www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/index.html. Retrieved 11 February 2015. 
  10. Wilson, Jennifer Fisher (2006). "Health Insurance Portability and Accountability Act Privacy Rule Causes Ongoing Concerns among Clinicians and Researchers". Annals of Internal Medicine 145 (4): 313–6. doi:10.7326/0003-4819-145-4-200608150-00019. PMID 16908928. 
  11. Armstrong, David; Kline-Rogers, Eva; Jani, Sandeep M.; Goldman, Edward B.; Fang, Jianming; Mukherjee, Debabrata; Nallamothu, Brahmajee N.; Eagle, Kim A. (2005). "Potential Impact of the HIPAA Privacy Rule on Data Collection in a Registry of Patients With Acute Coronary Syndrome". Archives of Internal Medicine 165 (10): 1125–9. doi:10.1001/archinte.165.10.1125. PMID 15911725. http://archinte.jamanetwork.com/article.aspx?articleid=486568. Retrieved 11 February 2015. 
  12. Dorward, Lisa. "The Positive and Negative Effects of HIPAA Employment Laws". Houston Chronicle. Hearst Newspapers, LLC. http://smallbusiness.chron.com/positive-negative-effects-hipaa-employment-laws-18500.html. Retrieved 11 February 2015. 
  13. Colvert, Anna (2013). "HIPAA'S Influence on Consumers: Friend or Foe?". Loyola Consumer Law Review 25 (4): 431–447. http://lawecommons.luc.edu/lclr/vol25/iss4/6/. Retrieved 11 February 2015. 
  14. Mearian, Lucas (7 May 2013). "HIPAA rules, outdated tech cost U.S. hospitals $8.3B a year". Computerworld.com. Computerworld, Inc. http://www.computerworld.com/article/2496995/healthcare-it/hipaa-rules--outdated-tech-cost-u-s--hospitals--8-3b-a-year.html. Retrieved 11 February 2015.