Compliance Officer Portal - HIPAA Compliance
The Health Insurance Portability
and Accountability Act of 1996 (HIPAA), Public Law 104-191, was
enacted on August 21, 1996. |
Sections 261 through 264 of
HIPAA require the Secretary of HHS to publicize standards for
the electronic exchange, privacy and security of health
information. Collectively these are known as the Administrative
HIPAA required the Secretary
to issue privacy regulations governing individually identifiable
health information, if Congress did not enact privacy
legislation within three years of the passage of HIPAA.
Because Congress did not enact privacy legislation, HHS
developed a proposed rule and released it for public comment on
November 3, 1999.
The Department received over 52,000
public comments. The final regulation, the Privacy Rule, was
published December 28, 2000.
In March 2002, the
Department proposed and released for public comment
modifications to the Privacy Rule. The Department received over
The final modifications were published
in final form on August 14, 2002.
Privacy of Individually Identifiable Health Information
(“Privacy Rule”) establishes, for the first time, a set of
national standards for the protection of certain health
The U.S. Department of Health and Human
Services (“HHS”) issued the Privacy Rule to implement the
requirement of the Health Insurance Portability and
Accountability Act of 1996 (“HIPAA”).
The Privacy Rule
standards address the use and disclosure of individuals’ health
information—called “protected health information” by
organizations subject to the Privacy Rule — called “covered
entities,” as well as standards for individuals' privacy rights
to understand and control how their health information is used.
Within HHS, the Office for Civil Rights (“OCR”) has
responsibility for implementing and enforcing the Privacy Rule
with respect to voluntary compliance activities and civil money
A major goal of the Privacy Rule is to assure
that individuals’ health information is properly protected while
allowing the flow of health information needed to provide and
promote high quality health care and to protect the public's
health and well being.
The Rule strikes a balance that
permits important uses of information, while protecting the
privacy of people who seek care and healing. Given that the
health care marketplace is diverse, the Rule is designed to be
flexible and comprehensive to cover the variety of uses and
disclosures that need to be addressed.
The Privacy Rule protects all "individually
identifiable health information" held or transmitted by a
covered entity or its business associate, in any form or media,
whether electronic, paper, or oral.
The Privacy Rule
calls this information "protected health information (PHI)."
“Individually identifiable health information” is
information, including demographic data, that relates to:
• the individual’s past, present or future physical or
mental health or condition,
• the provision of health
care to the individual, or
• the past, present, or future
payment for the provision of health care to the individual, and
that identifies the individual or for which there is a
reasonable basis to believe can be used to identify the
Individually identifiable health information
includes many common identifiers (e.g., name, address, birth
date, Social Security Number).
Privacy Rule excludes
from protected health information employment records that a
covered entity maintains in its capacity as an employer and
education and certain other records subject to, or defined in,
the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g.
De-Identified Health Information
There are no
restrictions on the use or disclosure of de-identified health
De-identified health information neither
identifies nor provides a reasonable basis to identify an
individual. There are two ways to de-identify information;
1) a formal determination by a qualified
2) the removal of specified
identifiers of the individual and of the individual’s relatives,
household members, and employers is required, and is adequate
only if the covered entity has no actual knowledge that the
remaining information could be used to identify the individual.
To learn more: www.hhs.gov
Top 10 risk and
compliance management related news stories and world events
Do you want to receive every Monday the Top 10 risk and
compliance management related news stories and world events that
(for better or for worse) shaped the week's agenda, and what is
You may submit the form that follows. We meet
strict national and international privacy standards. You can
unsubscribe at any time.
Who is Covered by the Privacy
Privacy Rule, as well as all the
Administrative Simplification rules, apply to
health plans, health care clearinghouses, and to any health care
provider who transmits health information in electronic form in
connection with transactions for which the Secretary of HHS has
adopted standards under HIPAA (the “covered entities”).
Health Plans. Individual and
group plans that provide or pay the cost of medical care are
include health, dental,
vision, and prescription drug insurers, health maintenance
organizations (“HMOs”), Medicare, Medicaid, Medicare+Choice and
Medicare supplement insurers, and long-term care insurers
(excluding nursing home fixed-indemnity policies).
Health plans also include
employer-sponsored group health plans, government and
church-sponsored health plans, and multi-employer health plans.
There are exceptions—a
group health plan with less than 50 participants that is
administered solely by the employer that established and
maintains the plan is not a covered entity.
of government funded programs are not
(1) those whose principal purpose
is not providing or paying the cost of health care, such as the
food stamps program; and
(2) those programs whose
principal activity is directly providing health care, such as a
community health center, or the making of grants to fund the
direct provision of health care.
Certain types of
insurance entities are also not health plans, including entities
providing only workers’ compensation, automobile insurance, and
property and casualty insurance.
Health Care Providers. Every
health care provider, regardless of size, who electronically
transmits health information in connection with certain
transactions, is a covered entity.
include claims, benefit eligibility inquiries, referral
authorization requests, or other transactions for which HHS has
established standards under the HIPAA Transactions Rule.
Using electronic technology, such as email, does not mean a
health care provider is a covered entity; the transmission must
be in connection with a standard transaction.
The Privacy Rule covers a health care
provider whether it electronically transmits these transactions
directly or uses a billing service or other third party to do so
on its behalf.
Health care providers include all
“providers of services” (e.g., institutional providers such as
hospitals) and “providers of medical or health services” (e.g.,
non-institutional providers such as physicians, dentists and
other practitioners) as defined by Medicare, and any other
person or organization that furnishes, bills, or is paid for
Clearinghouses. Health care clearinghouses are entities
that process nonstandard information they receive from another
entity into a standard (i.e., standard format or data content),
or vice versa.
In most instances, health care
clearinghouses will receive individually identifiable health
information only when they are providing these processing
services to a health plan or health care provider as a business
In such instances, only certain provisions
of the Privacy Rule are applicable to the health care
clearinghouse’s uses and disclosures of protected health
Health care clearinghouses include billing
services, repricing companies, community health management
information systems, and value-added networks and switches if
these entities perform clearinghouse functions.
Certified Risk and Compliance Management Professional (CRCMP)
Distance Learning and Online Certification Program
Certified Information Systems Risk and Compliance
Distance Learning and Online Certification Program
To learn more:
Receive the New Member Orientation Newsletters
You will have the opportunity to learn what members
registered before you have already learned. Understand better
risk and compliance management, projects, careers, challenges