Health Insurance Portability and Accountability Act
(HIPAA – Public Law 104-191)
The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is a broad statute that contains many provisions that affect health plans. Some of the significant rules contained within HIPAA relate to ensuring the privacy and security of personally identifiable information (the Privacy and Security Regulations) and setting uniform standards for the transmission of electronic health care claims data (the Electronic Data Interchange Regulations).
The HIPAA Privacy Regulations (or “Privacy Rule”) govern the use and disclosure of personally identifiable health information. Key items which are governed within the Privacy Rule include:
The HIPAA Security Regulations (or “Security Rule”) impose requirements on Covered Entities with respect to the protection of electronic PHI (“ePHI”). The main purpose of the Security Rule is to ensure the confidentiality, availability and integrity of ePHI. Covered Entities must implement certain safeguards designed to do so. Covered Entities must protect against reasonably anticipated threats to ePHI and uses or disclosures of ePHI that are not permitted under the Privacy Rule. Covered Entities must also protect ePHI by ensuring that their workforces comply with the security requirements. Covered Entities must implement reasonable and appropriate safeguard standards to protect ePHI. The safeguards are intended to be flexible depending on the type, size and sophistication of the Covered Entity.
The Department of Health and Human Services (“HHS”) is responsible for enforcing the Privacy and Security Rules. HHS may also refer cases to the Department of Justice for criminal prosecution. Criminal penalties vary depending on the circumstances of the violation.
The Electronic Data Interchange (“EDI”) regulations set forth standardized electronic transaction guidelines for transmission of health care data.
The regulations are intended to streamline electronic health care transactions by insuring that insurance carriers, third party administrators, and health insurance providers keep and exchange information in a uniform format. While the initial implementation costs are significant, it is expected that use of uniform standards will produce cost savings.
The Agency’s designated Courtney Beaupre, Chief Quality & Compliance Officer, is responsible for the development and implementation of HIPAA policies and procedures necessary for compliance. In addition, the HIPAA Privacy Officer, with the assistance of the HR Department, will be responsible for the administration of creating, posting and distributing the notice of information/privacy practices; processing authorizations for certain kinds of research, marketing, fundraising, etc.; meeting requests for correction/amendment of health records; considering requests for additional protection for, or confidential communications of, particularly sensitive health information; providing information/training to staff who have questions about HIPAA or state privacy protections; and handling any complaints from staff about possible HIPAA violations.
It is against Agency policy to retaliate against an employee for filing a complaint or for cooperating in an investigation of a complaint; such retaliation is also grounds for disciplinary action up to and including termination.
Information resulting from complaints filed under this procedure will be kept confidential by Agency management to the extent possible.
Additionally, if an employee is found to be in violation of this law or Agency policies and procedures designed to comply with HIPPA, appropriate disciplinary action may be taken up to and including termination of employment.
Page 35 / GCI, Inc. Employee Handbook 01/2007 Reviewed/Updated 08/08, 01/09, 02/09 & 07/09