On January 17, 2013, the Office for Civil Rights of the U.S. Department of Health & Human Services ("OCR") issued its long-awaited final rule modifying the HIPAA privacy, security, enforcement, and breach notification rules. The final rules will become effective on March 26, 2013, and compliance will be required by September 23, 2013. The new rules may be viewed in the Federal Register.
There are 5 parts to the HIPAA Law.
HIPAA Enforcement Rule
Responding to a Complaint/Complaint Information
The HIPAA Rules apply only to covered entities. Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules’ requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. If an entity is not a covered entity, it does not have to comply with the HIPAA Rules.
Who Must Comply?
This includes providers such as:
But only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.
The HIPAA Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes. HIPAA Privacy Rule covers all protected health information whether paper or electronic.
The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information. HIPAA Security Rule covered electronically stored and transmitted protected health information.
Transactions are activities involving the transfer of health care information for specific purposes. Under HIPAA, if a health plan or health care provider engages in one of the identified transactions, they must comply with the standard for it, which includes using a standard code set to identify diagnoses and procedures. The Standards for Electronic Transactions and Code Sets, published August 17, 2000 and since modified, adopted standards for several transactions, including claims and encounter information, payment and remittance advice, and claims status Any health care provider that conducts a standard transaction also must comply with the Privacy Rule.
*October 1, 2014, ICD-10 Code Sets for medical diagnosis and inpatient procedures READ MORE
HIPAA requires that employers have standard national numbers that identify them on standard transactions. The Employer Identification Number (EIN), issued by the Internal Revenue Service (IRS), was selected as the identifier for employers and was adopted effective July 30, 2002.
HIPAA requires that health care providers have standard national numbers that identify them on standard transactions. The National Provider Identifier (NPI) is a unique identification number for covered health care providers. Covered health care providers and all health plans and health care clearinghouses use the NPIs in the administrative transactions adopted under HIPAA. The NPI is a 10-position, intelligence-free numeric identifier (10-digit number). This means that the numbers do not carry other information about healthcare providers, such as the state in which they live or their medical specialty.
The HIPAA Enforcement Rule contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings. The HIPAA Enforcement Rule is codified at 45 CFR Part 160, Subparts C, D, and E.
Passed as part American Recovery and Reinvestment Act of 2009, the HITECH Rule (The Health Information Technology for Economic and Clinical Health Act) allowed for stricter enforcement and hire penalties under HIPAA. READ MORE
If a patient comes to you stating they want to file a complaint against you, you must facilitate their ability to do so. This is all you need to do. Print this form and hand it to them. COMPLAINT INFORMATION
If you receive a letter from the Regional Office of OIG, cooperate with them. At the moment they are working diligently with doctors to help them get into compliance. I do not know what that will end. The following letter is an actual letter that was received by one of my doctors.