The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) require the Department of Health and Human Services (HHS) to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. It also addresses the security and privacy of health data. Adopting these standards will improve the efficiency and effectiveness of the nation’s health care system by encouraging the widespread use of electronic data interchange in health care.
The HIPAA Administrative Simplification legislation was intended to improve the efficiency of the exchange of electronic health information among health care organizations while placing a high emphasis on reasonably ensuring the confidentiality of individually identifiable health information (IIHI). HIPAA defines IIHI as protected health information (PHI).
Which companies in India have to comply?
With changes in the HIPAA regulation due to HITECH act passed in 2009, all business associates based in India have to comply with some of the examples are:
- Software developing company creating healthcare software for USA company
- Healthcare Insurance BPO
- Medical billing company
- Medical Transcription Company
- Telemedicine company
- Translation company
- Healthcare consulting company
- Hospital promoting health tourism to USA clients partnered with insurance company
And many other organizations supporting insurance and healthcare industry
To evaluate your Business HIPAA compliance status, download the free business associate HIPAA compliance questionnaire.
New Enforcement Provisions
- HITECH significantly increases the civil penalties, creating the following tier system:
- Tier A (a reasonable person would not have known of the violation): A penalty of $100 for each violation, not to exceed $25,000 for violations of identical requirements during a calendar year.
- Tier B (reasonable cause but not willful neglect): A penalty of $1,000 for each violation, not to exceed $100,000 for violations of identical requirements during a calendar year.
- Tier C (willful neglect but corrected when know violation is due to willful neglect): A penalty of $10,000 for each violation, not to exceed $250,000 for violations of identical requirements during a calendar year.
- Tier D (willful neglect and not corrected when know violation is due to willful neglect): A penalty of $50,000 for each violation, not to exceed $1,500,000 for violations of identical requirements during a calendar year.In determining the amount of the penalty, OCR will consider the nature and extent of the violation, as well as the harm resulting from the violation.
- Violator’s State of Mind
- Violation Unknown: Penalties for violations where the person did not know, and by exercising reasonable diligence would not have known, can be assessed under Tiers A through D. No penalty may be imposed if the failure is corrected within 30 days of the date the person liable for the penalty knew, or exercising reasonable diligence would have known, that the failure to comply occurred.
- Violation Due to Reasonable Cause: Penalties for violations due to reasonable cause and not to willful neglect can be assessed under Tiers B through D. No penalty may be imposed if the failure is corrected within 30 days (or such longer period as allowed by DHHS) of the date the person liable for the penalty knew, or exercising reasonable diligence would have known, that the failure to comply occurred. The penalty may also be waived if payment would be excessive relative to the compliance failure involved.
- Violation Due to Willful Neglect: Penalties for violations due to willful neglect where the violation is corrected can be assessed under Tiers C through D. If the violation is not corrected, the penalty will be assessed under Tier D. DHHS must formally investigate any complaint filed with its office if a preliminary investigation indicates a possible violation due to willful neglect.
To have a better understanding of the regulation, it is recommended that your compliance officer goes through comprehensive HIPAA training. It is recommended for the HIPAA compliance officer to go through the HIPAA Certification of Certified HIPAA Privacy Security Expert.
Why is privacy and security part of HIPAA?
Security and privacy standards can promote higher quality care by assuring consumers that their personal health information is protected from inappropriate uses and disclosures. It’s also understood that privacy and security are interconnected. Any organization charged with protecting consumers’ private information can’t reasonably do so without also implementing appropriate security standards.
HIPAA has resulted in:
- Standardization of electronic, administrative, and financial health care transactions
- Unique health identifiers for employers and health care providers (At some time in the future, health plan identifiers will be mandated. It’s highly unlikely, even though mandated by HIPAA, that individual health care identifiers will be implemented per the Center for Medicare and Medicaid Services [CMS] and Congress.)
- Security standards protecting the availability, confidentiality, and integrity of individually identifiable health information (called protected health information or PHI under HIPAA), past, present or future. (The security rule addresses only the security of electronic PHI, but the privacy rule does include the requirement to implement protections for all PHI, no matter the form.)
- Privacy of PHI
HIPAA Administrative Simplification standards
Administrative Simplification was intended to reduce the high cost and administrative burden of health care. Costs are reduced through the implementation of Electronic Data Interchange (EDI) standards for the electronic transmission of many administrative and financial transactions that had been predominantly performed on paper or using nonstandard electronic transactions. It’s still too early to tell the return on investment of the move to standardized electronic transactions, but it’s hoped that, in the long run, administrative costs of health care will be significantly reduced.
In addition, standards for protecting the privacy and security of patient health information that’s exchanged, stored, maintained, etc., within the health care industry have been implemented.
HIPAA establishes civil and criminal penalties for noncompliance. Civil penalties are measured by violation. Penalties are set at $100 per violation with a maximum penalty of $25,000 per year for like violations. Criminal penalties are severe and can result in the imposition of significant fines as well as imprisonment. Enforcement of the HIPAA rules and how civil penalties are levied are fully described in the recently published HIPAA Enforcement Rule.
HITECH Changes to HIPAA
- Business Associates (BAs)
- Expanded Definition of BA:
- Organizations that provide data transmission of PHI to a covered entity (CE) or its BA, and require routine access e PHI (e.g., Health Information Exchange Organizations, Regional Health Information Organizations, and E-prescribing Gateways) are now BAs; and
- Vendors that contract with a CE with an electronic health record (EHR) to support the CE’s offering of a personal health record (PHR) to patients are now BAs.CEs must enter into a BA Agreement with those organizations and vendors.
- Obligation for HIPAA Privacy and/or Security Rule violations by CEs: If BA knows that CE has engaged conduct that is in violation of the HIPAA Privacy and/or Security Rule, the BA must inform the CE of the violation. If the CE does not cure the violation timely, the BA must report to the US Department of Health and Human Services (DHHS) Office for Civil Rights (OCR).
- BAs are equally responsible to execute a BA contract with CEs.
- BAs are required to adhere to the use and disclosure provisions of the HIPAA Privacy
Rule and the complete HIPAA Security Rule.
- Expanded Definition of BA:
- Breach Notification Requirement added: With limited exceptions, CEs must notify affected individuals, the media in certain circumstances, and OCR when an unauthorized acquisition, access, use, or disclosure of unsecuredPHI occurs. BAs are responsible for notifying CEs of any breach of unsecure PHI by the BA or the BA’s third party vendor.
- Unsecured electronic PHI means unencrypted or not encrypted at the level pursuant to encryption standards set by the National Institute for Standards and Technology (NIST);
- Unsecured non-electronic PHI is PHI that is not shredded or completely destroyed;
- Notice by first class mail or email if specified by the individual. Additional requirements if the CE does not have current contact information for 10 or more individuals involved in the breach;
- Notice is without unreasonable delay but no more than 60 days following the breach and must contain specified information
- If breach affects 500 or more individuals, OCR must be notified immediately and it will post the information on its website. When a breach of that size occurs in a single state or jurisdiction, a press release or something similar must be circulated therein.
- A breach involving less than 500 persons requires the CE to maintain a log and submit it to OCR within 60 days from the end of the calendar year.
- PHR vendors have similar obligation but report to the Federal Trade Commission (FTC) instead of OCR.
All of these requirements were effective September 23, 2009.
Business associates can jump start their compliance by using following listed templates to achieve their HIPAA compliance.
For answers to your questions on how to achieve HIPAA compliance or select which is the right training for you, feel free to contact Bob@training-hipaa.net or call on 001-515-865-4591. Ask if you are eligible for free HIPAA course.