Public Law 104-91, better known as the Health Insurance Portability and Accountability Act (HIPAA), was enacted by the United States Congress in 1996¹ to provide limited protections for consumers when buying health insurance or when their health insurance coverage changed due to job changes or loss of employment¹. The first section of the law, “Title I,” deals primarily with the portability of health insurance through job changes/job loss and provides limited protections for those with preexisting conditions or against discrimination based on health status for an individual or their dependents.² “Title II,” the second section, addresses the privacy and security of health information, establishes standards for the use of electronic healthcare information, deals with healthcare fraud and abuse, medical liability reform, and requires national identification for health plans, employers and healthcare professionals.³ Additional information on HIPAA is available on the Centers for Medicare and Medicaid Services (CMS) website where the law can be downloaded in its entirety.

HIPAA Goals: Privacy and Security of Protected Health Information

The goal for the privacy rule outlined in Title II is to balance the need to properly protect an individual’s health information while allowing a flow of health information that promotes high quality healthcare and safeguards the public health and well-being.⁴ Measures are built into the privacy rule requiring protection of private personal health information. The rule also sets conditions and limits on the disclosures and uses that may be made with such information without patient authorization. The privacy rule further establishes patient rights over their own health information, including the right to examine their health information, obtain a copy of their personal health records, and to request that corrections be made to their record.⁵

The HIPAA security rule works in concert with the privacy rule in Title II and pertains specifically to the administrative, physical, and technical safeguards required for electronic protected health information (e-PHI).^6,7 The security rule requires all covered entities (CE) and all business associates (BA) with access to PHI to have a security management process in place “to implement policies and procedures to prevent, detect, contain and correct security violations.”⁸ These security standards include:⁹

• The CE and BA must ensure the confidentiality, integrity, and availability of all electronic protected health information that the CE or BA creates, receives, maintains or transmits
• Protection against any reasonably anticipated threats or hazards to the security or integrity of the e-PHI
• Protection against any reasonably anticipated use or disclosure of such information that are not permitted or required under the privacy rule
• Ensure compliance by the work force with this law

Unique Identifiers

The unique identifier rule mandates the use of a National Provider Identifier (NPI) by health insurance companies, hospitals and individual physicians that participate in government programs, including insurance reimbursements. The ten digit NPI number takes the place of all previously used identifiers for government programs including Medicaid and Medicare and other third party insurers. The NPI does not replace the provider’s tax identification number (TIN), state licensure number, or Drug Enforcement Administration (DEA) number.¹⁰

Consequences for Violating HIPAA

HIPAA laws are enforced by the Office of Civil Rights (within the Department of Health and Human Services) for civil violations or by the Department of Justice for criminal violations. Penalties for HIPAA violations may include fines or jail time depending on whether the breach was willful or not.¹¹ Fines and punishment for willful neglect are higher (starting at $10,000, which may or may not include imprisonment), than those for more benign cases.¹²

• Section 1173 of HIPAA covers civil infractions and penalties, which are usually imposed as monetary fines. Fines may be waived if the violation is corrected within 30 days (this time period may be extended under certain conditions). HIPAA fines start at $100 for each violation of the law, to a limit of $25,000 per calendar year for violations of the same requirement.
• Section 1177 of HIPAA covers criminal offences. Knowingly misusing or disclosing PHI includes greater fines of $50,000 to $250,000 and jail time of one to ten years. HIPAA allows both civil and criminal penalties, including fines and possible time in jail.¹³
• More information on sections 1173 and 1177 of the HIPAA law can be accessed at: http://aspe.hhs.gov/admnsimp/pl104191.htm

Health Information Technology for Economic and Clinical Health Act (HITECH Act)

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) promotes the adoption and meaningful use (MU) of health information technology. The section subtitle D of the HITECH Act addresses privacy and security issues related to the electronic transmission of health information. This section also outlines the notification procedures and consequences for business associates if privacy or security provisions have been breached as stipulated within HIPAA rules.¹⁴

The Department of Health and Human Services (HHS) requires all health plans, healthcare professionals, and other entities covered by HIPAA to promptly notify individuals when their health information has been breached, as well as the HHS and the media in cases where the breach affects more than 500 individuals. Health information breaches affecting fewer than 500 individuals must be reported to the HHS on an annual basis.¹⁵

AVIGA™ Electronic Health Record (EHR)

AVIGA™ is an EHR developed by Janssen Diagnostics, Inc. and certified by the Drummond Group to meet HITECH meaningful use requirements. Although the AVIGA™ EHR does help support healthcare professionals in their efforts to meet HIPAA requirements for compliance, there are additional HIPAA requirements outside the sphere and functionality of the AVIGA™ EHR (or any other EHR system) to address. Covered entities are ultimately responsible for the attainment of full HIPAA compliance.

DISCLAIMER: THE INFORMATION CONTAINED IN THIS WEB SITE IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND REPRESENTS NO STATEMENT, PROMISE OR GUARANTEE BY JANSSEN DIAGNOSTICS, INC. CONCERNING RECEIPT OR PAYMENT OF GOVERNMENT INCENTIVES. JANSSEN DIAGNOSTICS, INC. STRONGLY URGES THAT YOU CONSULT WITH YOUR COUNSEL FOR ADVICE ON INCENTIVE ELIGIBILITY.