A Brief Background on the HIPAA Rules and the HITECH Act
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. The Act is massive in scope with five separate Titles. Title II of HIPAA, known as the Administrative Simplification provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. The Administrative Simplification provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange.
The Administrative Simplification provisions apply to "Covered Entities." This is a term of art within the legislation and regulations. This term is defined here: Covered Entity Definition, with an appropriate citation, but in general the following are covered entities:
- A health plan,
- A health care clearinghouse, and
- A health care provider.
The Administrative Simplification provisions called for the Secretary of Health and Human Services to establish various rules and procedures. These have now been codified in 45 CFR Part 160, 45 CFR Part 162 , and 45 CFR Part 164. Figure 1 in the Appendix illustrates how the statute relates to the regulations. Most of the substantive text is contained in the Code of Federal Regulations (CFR) sections.
This guide deals only with a subset of the rules and only as the rules pertain to a health care provider. The Administrative Simplification provisions are dense, even for attorneys that are comfortable reading statutes and regulations. Whoever had the clever idea of calling this "Administrative Simplification" certainly had a perverse sense of humor. Unfortunately the joke is on us, as it were, since we are the beneficiaries, or the victims, depending on your point of view.
The result of this dense language is that there are many myths and much confusion that persists regarding HIPAA, despite the fact that it has been more than a decade since the legislation was passed. We have gone where angels fear to tread but make no claims with respect to adding clarity, where in fact very little clarity exists. Instead, our objective is much more modest: we simply aim to provide a map into key sections of the regulations, one that will hopefully serve as a useful point of reference when additional detailed exploration is required (accept it on faith that future exploration will be mandatory as unanticipated questions arise).
The U.S. Department of Health and Human Services (HHS) has done yeoman's work in an attempt to organize and summarize the concepts that underpin the rules. Providers should find the content available on HHS' website quite useful (www.hhs.gov). The Agency is to be commended for this effort. We encourage providers to engage with HHS so that it continues to provide substantive guidance going forward—excellent work has been done but much more is required.
- The Unique Identifiers Rule (National Provider Identifier);
- The HIPAA Privacy Rule;
- The Transactions and Code Sets Rule;
- The HIPAA Security Rule; and
- The Enforcement Rule.
When a vendor, business partner, or a colleague implies that they are HIPAA compliant, the first question you should ask (now that you know) is "under what rule?" That will quickly tell you whether or not they are on first base, or simply wandering around in the weeds of an abandoned HIPAA baseball field. Mind you, first base does not imply that they have achieved expert status, clearly they have only hit a single, but at least they are in the ballpark and possibly heading in the right direction.
Historically, it is safe to say that if a health care provider indicated they were HIPAA compliant, what they likely meant was that they were attempting to comply with the HIPAA Privacy Rule (especially true for small providers). With the recent enactment of The American Recovery and Reinvestment Act of 2009 (ARRA) and the Health Information Technology for Economic and Clinical Health Act (HITECH Act 2009) contained within it, things have become even more interesting.
The HITECH Act focuses on the establishment of a national health infrastructure and on providing incentives for the adoption of electronic health records (EHRs). It also provides for "enhanced" privacy protections. This Act now places both the HIPAA Privacy Rule and the HIPAA Security Rule as front and center issues for health care providers. Now, not only are you still subject to civil penalties for HIPAA violations (and potentially criminal penalties also) and non-compliance, such non-compliance may actually prevent you from receiving financial incentives for EHR adoption and from otherwise obtaining full reimbursement down the road (i.e. as provided for in the HITECH Act).
We only cover two of the five rules—the HIPAA Privacy Rule and the HIPAA Security Rule. If you can stomach this excursion then you are battle tested enough to eventually figure out the rest of it, if and when the need arises (depending on your tolerance for pain). We suspect that these two rules (and the HITECH Act) will keep you plenty busy for the foreseeable future.
The HIPAA Privacy Rule and HIPAA Security Rule are contained within 45 CFR Part 164, but 45 CFR Part 160 is generally applicable and that is where this journey starts. Lastly, as previously mentioned, we only cover a small subset of the HITECH Act. However, reading the HITECH section of this guide only makes sense once you have a baseline understanding of the HIPAA Privacy Rule and the HIPAA Security Rule.