Health Insurance Portability & Accountability Act

HIPAA is changing the medical industry and Royal Imaging has responded by creating a comprehensive summary of questions and answers. This guide will answer some of your questions regarding the complex legislation as well as offer products that will assist you in securing your patients' records.

What is HIPAA?

To improve the efficiency and effectiveness of the health care system, the Health Insurance Portability and Accountability Act of 1996 included a series of "administrative simplification" provisions that require the Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions. By ensuring consistency throughout the industry, these national standards will make it easier for health plans, doctors, hospitals and other health care providers to process claims and other transactions electronically. The law also required security and privacy standards in order to protect personal health information.

Who must comply?

As required by HIPAA, the final regulation covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions electronically. The provisions of the final rule generally apply equally to private sector and public sector entities.

When is the deadline for compliance?

As required by the HIPAA law, most covered entities have two full years - until April 14, 2003 - to comply with the privacy rule's provisions. The law gives HHS the authority to make appropriate changes to the rule prior to the compliance date. Small health plans have until April 14, 2004 (small health plans are defined as having less than $5 million in annual receipts).

What kind of information is protected?

All medical records and other individually identifiable health information used or disclosed by a covered entity in any form, whether electronically, on paper, or orally, are covered by the rule.

What measures must be taken to protect information?

The Privacy Rule generally requires covered entities to take reasonable steps to limit the use or disclosure of protected health information (PHI) to the minimum necessary to accomplish the intended purpose. The minimum necessary standard is intended to make covered entities evaluate their practices and enhance protections as needed to prevent unnecessary or inappropriate access to PHI. It is intended to reflect and be consistent with, not override, professional judgment and standards. Therefore, it is expected that covered entities will utilize the input of prudent professionals involved in health care activities when developing policies and procedures that appropriately will limit access to personal health information without sacrificing the quality of healthcare.

Who enforces HIPAA?

The Department of Health and Human Services will be responsible for determining if institutions are HIPAA compliant as well as assessing penalties and fines for violations.

What are the penalties for non-compliance?

Civil penalties: Health Plans, providers and clearinghouses that violate these standards will be subject to civil liability. Civil money penalties are $100 per violation, up to $25,000 per person, per year for each requirement or prohibition violated.

Federal criminal penalties: Under HIPAA, Congress also established criminal penalties for knowingly violating patient privacy. Criminal penalties are up to $50,000 and one year in prison for obtaining or disclosing protected health information; up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses"; and up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.


*Information provided, taken from currently available public information, does not constitute a legal summary and is subject to change without notice.