The Health Insurance Portable and Accountable Act (“HIPAA”) is a federal law with regulations that health care providers, known as “covered entities” and business associates must be in compliance with.  The Health Law Center advises health care providers and business associates to ensure their compliance with HIPAA and its regulations.  HIPAA regulations focus how and when  covered entities and business associates may use and disclose patients’ “protected health information” or “PHI” consistent with privacy, security and electronic transaction requirements. In addition to HIPAA, The Health Law Center advises clients on their obligations to maintain the privacy of patients’ medical information pursuant to Michigan law.  The Health Law Center’s HIPAA clients include physician practices, hospitals, healthcare suppliers, health plans, billing companies and Health Information Exchange (“HIE”) companies.  An HIE is an organization which has the capability of electronically moving PHI between physicians, hospitals and other covered entities so that patient information is readily available to clinicians.

HIPAA is a broad statute that includes the HIPAA Privacy Rule, HIPAA Security Rule, as well as the Breach Notification Rules.  In addition, the Health Information Technology for Economic Clinical Health Act, also known as the “HITECH Act” has bolstered the HIPAA Privacy and Security Rules, particularly as they relate to business associates.  HITECH also escalated the adoption of the use of electronic health records (“EHRs”) to ensure that patients and health care professionals could communicate securely in an electronic environment.  To ensure compliance with EHR requirements, HITECH included a number of requirements, including financial incentives to hospitals and health care professionals that demonstrated “meaningful use” of their EHR systems.  It is very important to be in compliance with EHR, that health care providers contract with EHR vendors that are able to move health care providers from a paper medical record to an EHR while being in compliance with the appropriate regulations.

The HIPAA Privacy Rule and related regulations restricts the use or disclosure of protected health information (“PHI”), except when used for treatment, payment and healthcare operations.  There are also various exceptions in which PHI can be used without the authorization of the patient, if certain criteria are met.  In other instances the HIPAA Privacy Rule regulations require a patient’s written authorization before PHI can be used or disclosed outside the permitted uses and disclosures outlined in the HIPAA Privacy Rule.

“In addition to outlining the rights and responsibilities of covered entities and business associates, HIPAA regulations also provide for certain rights to patients.  Those rights include the right to access and copy their medical records, the right to amend patient information, the right to receive a healthcare provider’s notice of privacy practice, the right to restrict the use and disclosure of protected health information, and the right to file written complaints to the covered entity’s Privacy Officer.

The HIPAA Security Rule protects protected health information that is in electronic form, also known as “electronic protected health information” or “EPHI”.  HIPAA Security Rule regulations require a covered entity to identify and analyze risks to its system by conducting a Security Risk Assessment.  This is important when physicians, medical groups, and health care facilities apply for “meaningful use” incentives associated with EHRs.  If a covered entity wishes to receive Medicare meaningful use incentive payments, the covered entity must be in complaince with prescribed criteria regarding the utilizing its EHR system.  Before this can be done the covered entity must first demonstrate that it has successfully conducted a HIPAA Security Risk Analysis and corrected identified short comings.

The Health Information Technology for Economic Clinical Health Act (“HITECH Act”) was enacted in 2009 pursuant to the American Recovery and Reinvestment Act, and is meant to bolster the HIPAA Privacy and Security Rules.  HITECH now imposes direct responsibilities and sanctions on business associates who inappropriately use or disclose PHI.  HITECH also imposes greater “accounting of disclosures” for covered entities that maintain EHR.

HITECH adds a Breach Notification Rule, which requires covered entities to take specific action in the event the covered entity inappropriately uses or discloses PHI in a way that is considered to be a breach of HIPAA.  Depending on the size of the breach, a covered entity has various responsibilities it must comply with.

If you have any questions regarding HIPAA, HITECH and EHR compliance, please contact Donna J. Craig, RN, JD at The Health Law Center, PLC at don[email protected]