Information, Articles, Tools, and Useful LinksCommittee Listings, Member Forums, and Find a CITPInformation on AICPA Tech. Conference, Seminars, Webcasts, and ConferencesIT Section Membership Information, CITP Credential Information, Members Only Tools and Communications, and MorePublications, CPE, Conferences, and Webcasts
 
Search
 

Search Options
Infotech Home > Resources > Privacy / Data Protection > Federal, State and Other Professional Regulations > Health Insurance Portability and Accountancy Act (HIPAA)

Health Insurance Portability and Accountancy Act (HIPAA)

About HIPAA

Complying With HIPAA

Transactions

Security

Privacy

Who Is Affected?

Covered Entities and Individuals

So What's Next?

 

About HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress on August 21, 1996. Organizations must have become compliant by April 14, 2003 (April 14, 2004 for small health plans). The law requires any health care provider to meet certain privacy standards with respect to personal health information. The Act specifically states that "a covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information." The protection given must be for both intentional and unintentional disclosures of personal health information. HIPAA applies to the following: a health plan, which is defined as an individual plan or group health plan that provides, or pays the cost of, medical care; a health care provider which is defined as a provider of medical or health services and any person or organization who furnishes, bills, or is paid for health care services or supplies in the normal course of business; or a health care clearinghouse which is considered to be a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements.

 

Back to top

 

Complying With HIPAA

 

Opportunities exist for CPAs to assist health care organizations and providers in complying with the Health Insurance Portability Accountability Act (HIPAA) (Public Law 104191). HIPAA affects most segments of the health care industry, requiring covered entities (see the discussion in the following sections) to use standard formats for many electronic transmissions of health data and to take specific measures to ensure the security and privacy of personal health information.

 

Back to top

 

 

Transactions

 

Health care entities that send common health care transactions by electronic means, such as claims, eligibility and claims inquiries, or enrollment and disenrollment records, must use certain standard electronic file formats and standard code sets designated by the regulations. For most entities, the compliance date for electronic transaction standards was October 16, 2003.

 

Back to top

 

 

Security

 

The Security Standards rule adopts national standards for safeguards to protect the confidentiality, integrity, and availability of electronic protected health information. HIPAA mandated security standards to protect an individual’s health information, while permitting the appropriate access and use of that information by health care providers, clearinghouses, and health plans. For most entities, the compliance date for security standards is April 21, 2005. Further information on this rule can be found on this PDF.

 

Back to top

 

 

Privacy

 

The privacy rule of the HIPAA regulation went into effect on April 14, 2003. The HIPAA privacy rule provides patients access to their medical records, control over how their health information is used and disclosed, avenues for recourse if their medical privacy is compromised, and a number of other privacy rights. Covered entities must have in place various processes to support and administer those rights.

 

Back to top

 

 

Who Is Affected?

 

The rules protect patients' medical records and other personal health information maintained by the following covered entities:

 

·         Health plans: Individual or group health plans offered by health maintenance organizations and health insurers, as well as employee health benefit plans offered by employers that provide or pay the cost of medical care.

·         Health care providers: Providers of medical or health services and any person or organization who furnishes, bills, or is paid for health care services or supplies in the normal course of business and sends common health care transactions, such as claims, by electronic means.

·         Health care clearinghouses: Entities that process or facilitate the processing of nonstandard health information data elements and formats into standard data elements and electronic formats.

 

Leveraging their skills in understanding and examining information flows within organizations as well as assessing internal controls and processes for the systems that contain information, CPAs can turn the regulatory burden of the HIPAA privacy rule into an opportunity for health care providers to show not only that they comply with the rule, but also that they follow sound privacy practices.

 

Back to top

 

 

Covered Entities and Individuals Both Have Privacy Obligations and Rights

 

The HIPAA privacy rule also defines some rights and obligations for both covered entities and individual patients and health plan members. Some of the highlights are:

 

·         Individuals must give specific authorization before health care providers can use or disclose protected information in most non-routine circumstances, such as releasing information to an employer or for use in marketing activities.

·         Covered entities will need to provide individuals with written notice of their privacy practices and patients' privacy rights. The notice will contain information that could be useful to individuals choosing a health plan, doctor, or other provider. Patients will generally be asked to sign or otherwise acknowledge receipt of the privacy notice.

·         Covered entities must obtain an individual's specific authorization before sending them marketing materials.

 

HIPAA requires health care organizations and providers to meet certain privacy standards with respect to personal health information. The HIPAA privacy rule specifically states that "a covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information." The protection given must be for both intentional and unintentional disclosures of personal health information.

 

Back to top

 

 

So What's Next?

 

The HIPAA checklist is designed for use by CPAs to assist their clients in complying with the HIPAA privacy rule. It provides a targeted look at some of the issues facing small to medium-size health care providers in complying with the privacy provisions of HIPAA. This checklist should be used to alert CPAs and their clients to areas in which their compliance effort may fall short. This will help CPAs perform a gap analysis and identify priority areas for advisory work.

 

HIPAA is multifaceted, covering many areas of personal health information. This questionnaire focuses only on the privacy provisions of HIPAA and is not intended to cover all matters that need to be considered in order to comply with all of the requirements of HIPAA. CPAs can add tremendous value to their clients in helping them design effective privacy programs and follow solid privacy practices.

 

Back to top

Copyright © 2007 by the American Institute of Certified Public Accountants, Inc., New York, New York.