• HIPAA, HITECH, and the Texas Privacy Law

    Health Insurance Portability & Accountability Act Of 1996 (HIPAA)

    Congress passed HIPAA to provide consumers with greater access to health care insurance, to protect the privacy of health care data, and to promote more standardization and efficiency in the health care industry. Portability in HIPAA includes patient protections for coverage under group health plans that limit exclusions for pre-existing conditions; prohibit discrimination against employees and dependents based on their health status; and allow a special opportunity to enroll in a new plan to individuals in certain circumstances. 


    Federal Privacy Law HIPAA

    The Final Rule greatly enhances a patient’s privacy protections, provides individuals new rights to their health information, and strengthens the government’s ability to enforce the law. Some of the provisions include: 

        • Clarifying when breaches of unsecured health information must be reported to the federal government.
        • Strengthening the requirement between physicians and their business associates such as health plans and other entities who receive patient information.
        • Allowing cash paying patients to instruct their physician not to share information about their treatment with health plans.

    HIPAA Administrative Simplification Provisions

    The Administrative Simplification provisions of HIPAA streamline the administration of health care with requirements for privacy, electronic transactions and code sets, security, and national provider identifiers. These provisions apply to all covered entities.

        • The PRIVACY requirements govern disclosure of patient protected health information (PHI), while protecting patient rights. The Office of Civil Rights (OCR) enforces the HIPAA Privacy Rule.
        • The ELECTRONIC TRANSACTIONS AND CODE SETS requirements involve the transfer of health care information and the adoption of standard formats for processing claims and payments.
        • The SECURITY regulations involve the adoption of administrative, technical, and physical safeguards required to prevent unauthorized access to PHI. The Office of Civil Rights enforces the HIPAA Security Rule.
        • HHS has health information privacy guidance materials for Covered Entities.
        • The HIPAA Privacy and Security Audit Program requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards.

    Cybersecurity


    Resources

    Patient De-identification  

    The HIPAA Privacy Rules outline methods and approaches to de-identify PHI.

     

    HITECH Act

    The 2009 federal economic stimulus bill, American Recovery and Reinvestment Act (ARRA), substantially broadens the scope and impact of HIPAA security and privacy rules. These mandates are included in the Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of ARRA. A requirement of the stimulus bill regarding electronic protected health information (ePHI) is to notify patients and the US Dept of Health & Human Services (HHS) of "unsecured" PHI leaks and breaches. Under the stimulus bill, several HIPAA security provisions apply to business associates in the same manner as those that apply to covered entities. 

        • The HIPAA Privacy and Security Audit Program requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and Security Rules and Breach Notification standards. Please also see an article in Texas Medicine, July 2012 issue on the the federal goverment's enforcement of data security and privacy standards.
        • For additional information on electronic health/medical records, please see our EHR Web page.