The U.S. Department of Health and Human Services (“HHS”) promulgated the privacy rule pursuant to the Health Insurance Portability and Accountability Act (“HIPAA”), and the Office of Civil Rights (“OCR”) has responsibility for ensuring that health care providers implement and enforce the rule. The HIPAA privacy rule applies to health plans, health care clearinghouses, and health care providers. The privacy rule also requires covered entities that use contractors to protect the information using Business Associate Agreements.
What is a Covered Entity?
As discussed above, covered entities include health care providers, health care clearinghouses, and private benefit plans. It may be difficult to determine whether HIPAA applies in a particular situation. For instance, is information collected by an employer for a health-care plan subject to HIPAA? An individual or an entity is a health care provider if the person, business or agency furnishes, bills, or receives payment for health care in the normal course of business and sends any covered transactions electronically. Covered transactions include requests for payment, requests for benefit information, enrollment in health plans, payments, and remittance. A business or agency is a health care clearinghouse if it processes or facilitates the processing of health information from one format to another and if the business or agency performs this function for another legal entity. A private benefit plan can be a health plan covered by HIPAA if:
- It is a group plan that has more than 50 participants or a group plan with fewer than 50 participants that is not self-administered;
- It is a health insurance issuer;
- It is an issuer of a Medicare supplemental policy;
- It is an HMO;
- It is a multi-employer welfare benefit plan;
- It is an issuer of long-term care policies that provides only nursing home fixed-indemnity policies; or
- It is a plan that provides benefits other than excepted benefits.
Several government-funded programs can also be covered health plans, including high-risk pools, and certain HMOs. If the principal purpose of the program is something other than providing health care services or paying the cost of health care (e.g., operating a prison or running a scholarship program), the program is not a covered health plan.
What are the Basic HIPAA Requirements?
Pursuant to the rule, a covered entity may use and disclose protected health information, without an individual’s authorization, for the following purposes or situations: (1) To the Individual (unless required for access or accounting of disclosures); (2) Treatment, Payment, and Health Care Operations; (3) Opportunity to Agree or Object; (4) Incident to an otherwise permitted use and disclosure; (5) Public Interest and Benefit Activities and (6) Limited Data Set for the purposes of research, public health or health care operations. Entities governed by HIPAA can rely on professional ethics and their best judgment to determine which disclosures to make. Covered entities cannot use or disclose protected health information unless the use or disclosure is specifically articulated by the HIPAA privacy rule.
Comments (1)
I would like to introduce one website which I recently discovered a very good regulatory compliance website which provides useful information about HIPAA and also provides good information about other regulatory compliance authorities such as SOX, ISO 17799, OSHA, FISMA, etc. Also this website provides a wonderful compliance tool from Symantec which is a very useful tool for complying with these regulations. This poster is crosswalk between: ISO 17799, COBIT 4.0, Sarbanes Oxley, HIPAA, Payment Card Industry (PCI), GLBA, NERC standards CIP and PIPEDA (Canada).
Posted by Mike | August 3, 2007 2:35 AM
Posted on August 3, 2007 02:35