The Health Insurance Portability and Accountability Act or HIPAA, which was enacted by the US Congress in 1996, has introduced to sweeping changes in health care administration and information systems. HIPAA is a federal law that has been amended to the Internal Revenue Code of 1986 which intends to improve portability and continuity of health insurance; combat waste, fraud and abuse in health insurance and health care delivery; promote the use of medical savings accounts and improve access to long-term health care services and coverage; and simplify the administration of health insurance.
HIPAA is designed to standardize the way all health care organizations electronically exchange sensitive patient data and to protect patients from unauthorized disclosure of their medical records (whether paper or electronic). Under HIPAA, there are specific standards that all health care organizations are required to adhere to. These standards include an Administrative Simplification Title that is aimed at preventing health care fraud and abuse. Within this title, there are several laws and proposed standards including Electronic Health Transactions Standards, Privacy & Confidentiality Standards, Unique Health Identifiers, and Security & Electronic Signature Standards.
These HIPAA laws and standards directly apply to the following groups of health care entities: health plans, public and private payers, health care insurers, HMOs, Medicare, Medicaid, group health plans, health care clearinghouses, any entity that facilitates the processing of non-standard formatted health information and must convert the non-standard data into standard transactions, or vice versa, Health Care Providers, providers who transmit health information electronically, providers who receive individual health information, and providers who electronically maintain health information used in electronic transmissions between entities.
Non-compliance with HIPAA regulations may cause disruptions in an organization’s day-to-day business processes, resulting in both tangible and intangible costs. The most serious implications of HIPAA non-compliance for health care organizations include the inability to effectively conduct electronic business and the potential of losing significant segments of business. The government also imposes some sanctions on those who fail to comply with the regulations of HIPAA. The penalty for failure to comply with regulations goes up to $100 per violation per person up to a maximum of $25,000 per year. Penalty for knowingly and wrongfully disclosing individually identifiable health information is up to $50,000 per violation or one year imprisonment or both for simple offense; up to $100,000 per violation or five years imprisonment or both if the offense is “under false pretenses”; and up to $250,000 or ten years imprisonment or both if committed with intent to sell, transfer or use for commercial advantage, personal gain or malicious harm.
Thus, the ultimate objective of HIPAA is to increase the efficiency and effectiveness of health information systems through improvements in electronic health care transactions as well as to maintain the security and privacy of individually identifiable health information. It helps to promote the modernization of health information systems. Becoming HIPAA-compliant is a challenging task because of extensive cross-departmental compliance and training requirements but it is an ongoing administration, privacy and security challenge that must be constantly addressed.