The Health Insurance Portability & Accountability Act of 1996 (HIPAA), Public Law was passed by Congress:
Administrative Simplification is a method of making business practice (the billing, claims, computer systems and communication) uniform in order that providers and payers do not have to change the way in which they interact with each other through each other's proprietary systems. The changes affect such activities as:
Congress passed the Health Information Technology for Economic and Clinical Health Act (HITECH) as part of the American Recoveries and Reinvestment Act of 2009. HITECH makes several significant modifications to HIPAA. These changes include:
The Department of Health and Mental Hygiene works hard to ensure that the privacy of every individual is maintained, whether by our entity or by one of our business associates. Business associates are an important part of the health care industry, providing services to companies in an effort to best serve their clients.
HITECH has changed the definition for what defines a privacy breach under HIPAA. A breach is: “the unauthorized acquisition, access, use, or disclosure of protected health information which compromises the security or privacy of the protected health information, except where an unauthorized person to whom such information is disclosed would not reasonably have been able to retain such information.” DHMH is committed to ensuring the privacy of every individual. We have implemented policies and procedures to protect every persons health information. If you think that a DHMH facility has violated your privacy, please call or write the Privacy Officer:
Ramiek James, Esq.Privacy Officer DHMH- Office of the Inspector General 201 W. Preston St., Floor 5 Baltimore, MD 21201 (410) 767-5411
HITECH has also changed the notification requirements for covered entities and business associates. A covered entity has no more than 60 days* to notify an individual that his/her protected health information has been breached. There are rules in place identifying when an individual is to be notified, and the method that needs to be used. * There are certain exceptions for the 60 day rule which are listed in the Interim Final Rule. For additional information please see the Interim Final Rule for Breach Notification: http://edocket.access.gpo.gov/2009/pdf/E9-20169.pdf
In an effort to better protect patient privacy, HITECH has increased the enforcement of HIPAA. HITECH created mandatory audit requirements for HHS, and it gives the State Attorney General the right to enforce privacy as well. In passing HITECH, the federal government is emphasizing that they consider protecting individuals privacy is paramount, and all reasonable steps should be taken to ensure that it is happening.
For additional information on the increased enforcement of HIPAA, please see the Interim Final Rule for Enforcement: http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/enfifr.pdf
Along with increasing the enforcement requirements, HITECH has raised the penalties for privacy violations. Below is a chart of the different levels of a privacy violation, and the potential fine a covered entity could face for that violation.
There have been new modifications to the transaction and code sets. These code sets will be implemented within the next few years, and will further ease the communication and billing of health facilities. Specifically: HIPAA 5010 is modifying HIPAA 4010 transactions. ICD-10 is modifying ICD-9 diagnosis’
201 W. Preston Street, Baltimore, MD 21201-2399
(410) 767-6500 or 1-877-463-3464