HIPAA -- Executive Summary
Overview
The Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), also known as HIPAA, was enacted as part of a broad Congressional attempt at incremental healthcare reform. The "Administrative Simplification" aspect of that law requires the United States Department of Health and Human Services (DHHS) to develop standards and requirements for maintenance and transmission of health information that identifies individual patients.
These standards are designed to:
Improve the efficiency and effectiveness of the healthcare system by standardizing the interchange of electronic data for specified administrative and financial transactions; and
Protect the security and confidentiality of electronic health information.
The requirements outlined by the law and the regulations promulgated by DHHS are far-reaching--all healthcare organizations that maintain or transmit electronic health information must comply. This includes health plans, healthcare clearinghouses, and healthcare providers, from large integrated delivery networks to individual physician offices. After the final standards are adopted, small health plans have 36 months to comply. Others, including healthcare providers, must comply within 24 months.
The law provides for significant financial penalties for violations:
General Penalty for Failure to Comply:
Each violation: $100.
Maximum penalty for all violations of an identical requirement: May not exceed $25,000.
Wrongful Disclosure of Individually Identifiable Health Information:
Wrongful disclosure offense: $50,000, imprisonment of not more than one year, or both.
Offense under false pretenses: $100,000, imprisonment of not more than 5 years, or both.
Offense with intent to sell information: $250,000, imprisonment of not more than 10 years, or both.
Impact
Unlike Y2K, HIPAA is an enterprise-wide issue—not an information technology issue. There are legal, regulatory, process, security, and technology aspects to each proposed rule that must be carefully evaluated before an organization can begin its implementation plan. HIPAA is rapidly becoming a major issue in healthcare because:
Implementation timeframes are short—organizations must be in compliance 24 months after the regulations become final.
Y2K efforts have kept organizations from focusing on HIPAA.
Senior executives are clearly responsible for the security and confidentiality of patient health information, yet little has been done in most organizations to protect this information.
There are significant criminal and civil penalties for non-compliance, as well as serious liability risks for unauthorized disclosure.
There is no quick fix or easy solution to meet HIPAA requirements.
It is difficult to assess the costs and benefits of HIPAA because these are sweeping changes for which we have no historical experience. Estimated costs of implementation vary widely but will be in the billions of dollars. (The government estimated the five-year "conservative" cost of the privacy regulation alone to be $3.8 billion.)
HIPAA will have a major, ongoing impact on healthcare providers in several areas:
Significant resources will be required.
Some degree of IT retooling will be required, as well as major operational and procedural changes.
Transactions will become more standardized, resulting in eventual savings for electronic data interchange.
For transaction standards, code sets, and identifiers, implementation will be the most expensive. Ongoing costs will involve obtaining and implementing updates to the standards.
Security and privacy regulations will be the most difficult and costly to implement and maintain because they are broad in scope, less definitive, and require constant vigilance for ongoing compliance.
A brief overview of the standards in four key areas is outlined below, followed by practical implementation strategies for healthcare organizations.
...
hipaa-iq.com |
