Title I: Focus on Health Care Access, Portability, and Renewability

• Regulates the availability of group and individual health insurance policies: Title I modified the Employee Retirement Income Security Act along with the Public Health Service Act and the Internal Revenue Code
• Requires the coverage of and limits the restrictions that a group health plan places on benefits for preexisting conditions. Group health coverage may only refuse benefits that relate to preexisting conditions for 12 months after enrollment or 18 months for late enrollment.
• Enables individuals to limit the exclusion period taking into account how long they were covered before enrolling in the new plan after any periods of a break in coverage.
• Covers “creditable coverage” which includes nearly all group and individual health plans, Medicare, and Medicaid.
• Explains a “significant break” as any 63-day period that an individual goes without creditable coverage. It allows premiums to be tied to avoiding tobacco use, or body mass index.
• Requires insurers to issue policies without exclusion to those leaving group health plans with creditable coverage exceeding 18 months, and renew individual policies for as long as they are offered or provide alternatives to discontinued plans for as long as the insurer stays in the market without exclusion regardless of health condition.

• Establishes policies and procedures for maintaining privacy and security of individually identifiable health information, outlines offenses, and creates civil and criminal penalties for violations.
• Creates programs to control fraud and abuse and Administrative Simplification rules.
• Requires the Department of Health and Human Services (HHS) to increase the efficiency of the health care system by creating standards.

HHS initiated 5 rules to enforce Administrative Simplification: (1) Privacy Rule, (2) Transactions and Code Sets Rule, (3) Security Rule, (4) Unique Identifiers Rule, and (5) Enforcement Rule.

Privacy Rule

The HIPAA Privacy Rule regulates the use and disclosure of protected health information (PHI) by “covered entities.” These entities include health care clearinghouses, health insurers, employer-sponsored health plans, and medical providers. Upon request, covered entities must disclose PHI to an individual within 30 days. Entities mentioned earlier must provide and disclose PHI as required by law enforcement for the investigation of suspected child abuse.

• Covered entities may disclose PHI to law enforcement if requested to do so by court orders, court-ordered warrants, subpoenas, and administrative requests.
• A covered entity may reveal PHI to facilitate treatment, payment, or health care operations without a patient’s written authorization.
• Any other disclosures of PHI require the covered entity to obtain prior written authorization.
• When a covered entity discloses PHI, it must make a reasonable effort to share only the minimum necessary information.
• The Privacy Rule gives individuals the right to demand that a covered entity correct any inaccurate PHI and take reasonable steps to ensure the confidentiality of communications with individuals.
• The Privacy Rule requires covered entities to notify individuals of PHI use, keep track of disclosures, and document privacy policies and procedures.

2013 Omnibus Rule Update

• The revised definition of “significant harm” to an individual in the analysis of a breach provides more investigation to cover entities with the intent of disclosing breaches that were previously not reported.
• Protection of PHI was changed from indefinite to 50 years after death.
• The HIPAA Privacy rule may be waived during a natural disaster.

Right to Access

The Privacy Rule requires medical providers to give individuals PHI access when an individual requests information in writing. A provider has 30 days to provide a copy of the information to the individual. An individual may request the information in electronic form or hard copy.

• Individuals have the right to access all health-related information (except psychotherapy notes of a provider, and information gathered by a provider to defend against a lawsuit).
• Providers may charge a reasonable amount for copying costs. However, no charge is allowable when providing data electronically from a certified electronic health record (EHR) using the “view, download, and transfer.”
• An individual may authorize the delivery of information using either encrypted or unencrypted email, media, direct messaging, or other methods. When using unencrypted delivery, an individual must understand and accept the risks of data transfer.
• An individual may request in writing that their PHI be delivered to a third party.
• An individual may request in writing that their provider send PHI to a designated service used to collect or manage their records, such as a Personal Health Record application.

Relative Disclosure

Hospitals may not reveal information over the phone to relatives of admitted patients.

• This has impeded the location of missing persons, as seen after airline crashes, hospitals are reluctant to disclose the identities of passengers being treated, making it difficult for relatives to locate them.

Transactions and Code Sets Rule

HIPAA was created to improve health care system efficiency by standardizing health care transactions. HIPAA added a new Part C titled “Administrative Simplification” that simplifies healthcare transactions by requiring health plans to standardize health care transactions.

• For example, medical providers who file for reimbursements electronically have to file their electronic claims using HIPAA standards to be paid.

Security Rule

The Security Rule complements the Privacy Rule. While the Privacy Rule pertains to all Protected Health Information, the Security Rule is limited to Electronic Protected Health Information. It lays out 3 types of security safeguards: administrative, physical, and technical.

Administrative Safeguards

Policies and procedures are designed to show clearly how the entity will comply with the act.

• Covered entities must adopt a written set of privacy procedures and designate a privacy officer for developing and implementing required policies and procedures.
• Procedures must identify classes of employees who have access to electronic protected health information and restrict it to only those employees who need it to complete their job function.
• The procedures must address access authorization, establishment, modification, and termination.
• Entities must show appropriate ongoing training for handling PHI.
• Covered entities must back up their data and have disaster recovery procedures.
• Internal audits are required to review operations with the goal of identifying security violations.
• Procedures should document instructions for addressing and responding to security breaches.

Physical Safeguards

• Control physical access to protected data.
• Control the introduction and removal of hardware and software from the network and make it limited to authorized individuals.
• Access to equipment containing health information must be controlled and monitored.
• Require proper workstation use, and keep monitor screens out of not direct public view.
• If the covered entities utilize contractors or agents, they too must be thoroughly trained on PHI.

Technical Safeguards

Technical safeguards include controlling access to computer systems and enabling covered entities to protect communications containing PHI transmitted electronically over open networks.

• Information systems housing PHI must be protected from intrusion.
• Data within a system must not be changed or erased in an unauthorized manner.
• Data corroboration, including the use of a checksum, double-keying, message authentication, and digital signature must be used to ensure data integrity and authenticate entities with which they communicate.
• Entities must make documentation of their HIPAA practices available to the government.
• Information technology documentation should include a written record of all configuration settings on the components of the network.
• Documented risk analysis and risk management programs are required.

Unique Identifiers Rule (National Provider Identifier, NPI)

HIPAA-covered entities such as providers completing electronic transactions, healthcare clearinghouses, and large health plans must use only the National Provider Identifier (NPI) to identify covered healthcare providers in standard transactions.

The NPI replaces all other identifiers used by health plans, Medicare, Medicaid, and other government programs. The NPI does not replace a provider’s DEA number, state license number, or tax identification number. The NPI is 10 digits (may be alphanumeric), with the last digit a checksum. The NPI cannot contain any embedded intelligence; the NPI is a number that does not itself have any additional meaning. The NPI is unique and national, never re-used, and except for institutions, a provider usually can have only one. An institution may obtain multiple NPIs for different “sub-parts” such as a free-standing surgery or wound care center.

Enforcement Rule

• The Enforcement Rule sets civil financial money penalties for violating HIPAA rules.
• It establishes procedures for investigations and hearings for HIPAA violations.
• The US Dept. of Health and Human Resources has investigated over 20,000 cases resolved by requiring changes in privacy practice or by corrective action.
• If noncompliance is determined, entities must apply corrective measures.
• Complaints have been investigated against pharmacy chains, major health care centers, insurance groups, hospital chains, and small providers.

According to the HHS, the following issues have been reported according to frequency:

1. Misuse and disclosures of PHI
2. No protection in place for health information
3. Patients unable to access their health information
4. Using or disclosing more than the minimum necessary protected health information
5. No safeguards of electronic protected health information

The most common entities required to take corrective action according to HHS are listed below by frequency:

1. Private Practices
2. Hospitals
3. Outpatient Facilities
4. Group insurance plans
5. Pharmacies

• Standardizes the amount that may be saved per person in a pre-tax medical savings account.
• Makes medical savings accounts available to employees covered under an employer-sponsored high deductible plan for a small employer and self-employed individuals.

Title IV specifies conditions for group health plans regarding coverage of persons with pre-existing conditions and modifies continuation of coverage requirements. It clarifies continuation coverage requirements and includes COBRA clarification.

• Provisions for company-owned life insurance for employers providing company-owned life insurance premiums, prohibiting the tax-deduction of interest on life insurance loans, company endowments, or contracts related to the company.
• Repeals the financial institution rule to interest allocation rules.
• Amends provisions of law relating to people who give up United States citizenship or permanent residence, expanding the expatriation tax to be assessed against those deemed to be giving up their US status for tax reasons
• Makes former citizens’ names part of the public record through the creation of the Quarterly Publication of Individuals Who Have Chosen to Expatriate.