Registration
Transforming HIV Data into Knowledge That Cares
AVIGA REPORTER™. Knowledge that Cares.
HIT in Practice: HIPAA

Health Insurance Portability and Accountability Act (HIPAA) Overview

Public Law 104-91, better known as the Health Insurance Portability and Accountability Act (HIPAA), was enacted by the United States Congress in 19961 to provide limited protections for consumers when buying health insurance or when their health insurance coverage changed due to job changes or loss of employment1. The first section of the law, "Title I," deals primarily with the portability of health insurance through job changes/job loss and provides limited protections for those with preexisting conditions or against discrimination based on health status for an individual or their dependents.2 "Title II," the second section, addresses the privacy and security of health information, establishes standards for the use of electronic healthcare information, deals with healthcare fraud and abuse, medical liability reform, and requires national identification for health plans, employers and healthcare professionals.3 Additional information on HIPAA is available on the Centers for Medicare and Medicaid Services (CMS) website where the law can be downloaded in its entirety.

HIPAA Goals: Privacy and Security of Protected Health Information

The goal for the privacy rule outlined in Title II is to balance the need to properly protect an individual's health information while allowing a flow of health information that promotes high quality healthcare and safeguards the public health and well-being.4 Measures are built into the privacy rule requiring protection of private personal health information. The rule also sets conditions and limits on the disclosures and uses that may be made with such information without patient authorization. The privacy rule further establishes patient rights over their own health information, including the right to examine their health information, obtain a copy of their personal health records, and to request that corrections be made to their record.5

The HIPAA security rule works in concert with the privacy rule in Title II and pertains specifically to the administrative, physical, and technical safeguards required for electronic protected health information (e-PHI).6,7 The security rule requires all covered entities (CE) and all business associates (BA) with access to PHI to have a security management process in place "to implement policies and procedures to prevent, detect, contain and correct security violations."8 These security standards include:9

  • The CE and BA must ensure the confidentiality, integrity, and availability of all electronic protected health information that the CE or BA creates, receives, maintains or transmits
  • Protection against any reasonably anticipated threats or hazards to the security or integrity of the e-PHI
  • Protection against any reasonably anticipated use or disclosure of such information that are not permitted or required under the privacy rule
  • Ensure compliance by the work force with this law

Unique Identifiers

The unique identifier rule mandates the use of a National Provider Identifier (NPI) by health insurance companies, hospitals and individual physicians that participate in government programs, including insurance reimbursements. The ten digit NPI number takes the place of all previously used identifiers for government programs including Medicaid and Medicare and other third party insurers. The NPI does not replace the provider's tax identification number (TIN), state licensure number, or Drug Enforcement Administration (DEA) number.10

Consequences for Violating HIPAA

HIPAA laws are enforced by the Office of Civil Rights (within the Department of Health and Human Services) for civil violations or by the Department of Justice for criminal violations. Penalties for HIPAA violations may include fines or jail time depending on whether the breach was willful or not.11 Fines and punishment for willful neglect are higher (starting at $10,000, which may or may not include imprisonment), than those for more benign cases.12

  • Section 1173 of HIPAA covers civil infractions and penalties, which are usually imposed as monetary fines. Fines may be waived if the violation is corrected within 30 days (this time period may be extended under certain conditions). HIPAA fines start at $100 for each violation of the law, to a limit of $25,000 per calendar year for violations of the same requirement.
  • Section 1177 of HIPAA covers criminal offences. Knowingly misusing or disclosing PHI includes greater fines of $50,000 to $250,000 and jail time of one to ten years. HIPAA allows both civil and criminal penalties, including fines and possible time in jail.13
  • More information on sections 1173 and 1177 of the HIPAA law can be accessed at: http://aspe.hhs.gov/admnsimp/pl104191.htm
HIPAA Violation Minimum Penalty Maximum Penalty

Individual error (did not knowingly commit HIPAA violation, even if due diligence was rendered)

$100/violation (Annual max of $25,000/ calendar year)

$50,000/ violation, (Annual maximum of $1.5 million/ calendar year)

HIPAA violation due to reasonable cause and not due to willful neglect

$1,000/ violation (Annual maximum of $100,000 for repeat violation)

$50,000/ violation (Annual maximum of $1.5 million)

HIPAA violation due to willful neglect but violation is corrected within the required time period

$10,000/ violation (Annual maximum of $250,000 for repeat violations)

$50,000 /violation (Annual maximum of $1.5 million)

HIPAA violation is due to willful neglect and is not corrected

$50,000/ violation (Annual maximum of $1.5 million)

$50,000 /violation (Annual maximum of $1.5 million)

Health Information Technology for Economic and Clinical Health Act (HITECH Act)

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) promotes the adoption and meaningful use (MU) of health information technology. The section subtitle D of the HITECH Act addresses privacy and security issues related to the electronic transmission of health information. This section also outlines the notification procedures and consequences for business associates if privacy or security provisions have been breached as stipulated within HIPAA rules.14

The Department of Health and Human Services (HHS) requires all health plans, healthcare professionals, and other entities covered by HIPAA to promptly notify individuals when their health information has been breached, as well as the HHS and the media in cases where the breach affects more than 500 individuals. Health information breaches affecting fewer than 500 individuals must be reported to the HHS on an annual basis.15

AVIGA™ Electronic Health Record (EHR)

AVIGA™ is an EHR developed by Janssen Diagnostics, LLC. Although the AVIGA™ EHR may/can help support healthcare professionals in their efforts to meet HIPAA requirements for compliance, there are additional HIPAA requirements outside the sphere and functionality of the AVIGA™ EHR (or any other EHR system) to address. Covered entities are ultimately responsible for the attainment of full HIPAA compliance.

  1. Centers for Medicare and Medicaid Services. Health Insurance Overview for Consumers. Available at: https://www.cms.gov/HealthInsReformforConsume/. Accessed March 23, 2011.
  2. Centers for Medicare and Medicaid Services. The Health Insurance Portability and Accountability Act of 1996. Helpful Tips.
    Available at: https://www.cms.gov/HealthInsReformforConsume/Downloads/HIPAA_Helpful_Tips_Rev_1.pdf Accessed March 23, 2011.
  3. Centers for Medicare and Medicaid Services. HIPAA General Information Overview. Available at: http://www.cms.gov/HIPAAGenInfo/ Accessed March 23, 2011.
  4. US Department of Health & Human Services. Health Information Privacy: Summary of the HIPAA Privacy Rule. Introduction. Available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html Accessed March 23, 2011.
  5. US Department of Health & Human Services. Health Information Privacy: The Privacy Rule.
    Available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html Accessed March 2011.
  6. US Department of Health & Human Services. Health Information Privacy: The Security Rule.
    Available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/index.html Accessed March 23, 2011
  7. Federal Register, Part II, Department of Health and Human Services, 45 CFR Parts 160, 162 and 164, Health Insurance Reform: Security Standards; Final Rule. February 20, 2003. p.8335
  8. Federal Register, Part II, Department of Health and Human Services, 45 CFR Parts 160, 162 and 164, Health Insurance Reform: Security Standards; Final Rule. February 20, 2003. p.8377
  9. Federal Register, Part II, Department of Health and Human Services, 45 CFR Parts 160, 162 and 164, Health Insurance Reform: Security Standards; Final Rule. February 20, 2003. p.8376
  10. US Department of Health and Human Services. National Provider Identifier Activities Begin in 2005.
    Available at: http://www.cms.gov/NationalProvIdentStand/Downloads/NPIdearprovider.pdf
  11. Cohn S. Dea R, Cooper T. HIPAA: What's True, What Isn't. The Permanente Journal, 2003 Volume 7, No. 3.
    Available here. Accessed April 12, 2011.
  12. American Medical Association. HIPAA: Health Insurance Portability Accountability Act. Available at: http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page. Accessed April 12, 2011.
  13. American Medical Association. HIPAA: Health Insurance Portability Accountability Act. Available at: http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/hipaa-violations-enforcement.page. Accessed April 12, 2011.
  14. US Department of Health & Human Services. Health Information Privacy: HITECH Act Enforcement Interim Final Rule. Available at: http://www.hhs.gov/ocr/privacy/hipaa/administrative/enforcementrule/hitechenforcementifr.html Accessed March 2011.
  15. US Department of Health & Human Services. Health Information Privacy: HITECH Breach Notification Interim Final Rule. Available at: http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/breachnotificationifr.html Accessed March 2011.

Janssen Logo

On February 2nd, 2012, Virco Lab, Inc.
changed its legal name to Janssen Diagnostics, Inc.

Our website is in the process of being updated to
reflect these name changes.

CONTINUE