Question:
We are concerned about potential HIPAA violations. Where can our nonprofit turn to find out if we are violating HIPAA and what we need to do to fix this problem?
Answer:
The
Health Insurance Portability and Accountability Act of 1996
("HIPAA") impacts any business that is a "covered
entity" and those entities that work with them directly or
indirectly, known as "business associates." HIPAA
has been implemented through a series of separate, but
inter-connected, regulations. The Privacy Rule governs the
use and disclosure of certain health information that is known as
protected health information (or "PHI"), whether in oral,
written, or electronic form. It requires safeguards to
protect the privacy of PHI, sets boundaries on uses and disclosures
that may be made of such information without patient authorization,
and grants patients certain rights regarding their health
information. The Security Rule provides various
administrative, physical, and technical safeguards to ensure the
confidentiality, integrity, and security of electronic PHI.
Finally, the Breach Notification Rule sets nationwide notification
standards for when there is a discovery of a breach of unsecured
(i.e., unencrypted) PHI.
If you are concerned about potential HIPAA violations, the first
step is to confirm whether you are a covered entity or a business
associate. The agency in the federal government that enforces
HIPAA, the Office for Civil Rights ("OCR"), has a website
that describes the three major types of covered entities: health
care clearinghouses, health plans (including health insurance
companies and employer-sponsored health plans), and health care
providers that electronically transmit health information in
connection with certain transactions, including billing. You
can find this information here. If you perform certain functions
or activities on behalf of, or certain services for, a covered
entity involving PHI (directly or indirectly as a subcontractor),
you could be (and likely are) a business associate.
Covered entities must comply with all aspects of the HIPAA rules,
and business associates are directly liable for compliance with
most provisions. OCR's website has detailed information
regarding the three major provisions of the HIPAA rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule. However, OCR
recently released major changes to many provisions of these rules,
and the cited webpages have not yet been updated to reflect these
changes. OCR's website contains a press release providing a brief overview of
these changes and a link to the final rule that ushered them
in. A summary of the recently-released rule can be found in
this
article.
Finally, here are the recordings and streaming PowerPoint
presentations/related handout materials for two Summer 2013 Venable
webinars on the subject:
The Road Map to HIPAA Compliance: What Your Nonprofit Needs to
Know and
Evaluating Your Nonprofit's Options under the Affordable Care
Act: The Pros and Cons of Health Insurance Alternatives for Your
Employees.
This article was originally published on GuideStar on February 13, 2014.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.