HIPAA   Compliance Page

Health Insurance Portability and Accountability Act of 1996
This section was compiled by Frank M. Painter, D.C.
Send all comments or additions to:   Frankp@chiro.org

	The HIPAA Privacy Rule U.S. Department of Health & Human Services The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; the HIPAA Breach Notification Rule, which requires covered entities and business associates to provide notification following a breach of unsecured protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.
	Navigating HIPAA in the Electronic Age: What DCs Must Know ACA News ~ March 2015 It has been nearly 20 years since the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was passed and more than five years since its privacy protections for health care consumers were significantly strengthened by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, as more healthcare transactions became electronic. But even so, many clinicians — especially those in smaller, often non-hospital-affiliated practices such as chiropractic — may not be up to speed on what they need to do to protect their patients’ privacy in the electronic age and comply with laws like HIPAA and HITECH, says Steven Baker, DC, DABFP, DABCO, a councilor with the Council on Chiropractic Education.
	HIPAA GETS AN UPDATE: What You Need to Know Now ACA News ~ November 2013 POP QUIZ:   Do you know why Sept. 23, 2013, was significant for covered entities? It's because Sept. 23 was the date by which covered entities must be compliant with the new portions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) that were added when the omnibus rule was finalized in January. What do you need to do in order to be compliant? ACA will help you answer that question and will provide you with the resources you need to be compliant.
	New HIPAA Regulations Go Into Effect February 17, 2010 New HIPAA regulations for Business Associates go into effect February 17, 2010 and most chiropractors qualify as covered entities subject to these new rules.
	Are You Protecting Your Patients' Confidential Information? NCMIC ~ The Examiner ~ Spring 2009 Doctors -and the people they employ- are expected to protect this confidential patient information and only use it on behalf of the patient. This expectation of confidentiality starts when the doctor/patient relationship begins. When this confidentiality is violated, patients may sue.
	HIPAA & Chiropractic Many providers have procrastinated because of the difficulty in understanding what the requirements of HIPAA are, or they believe that HIPAA does not pertain to them, as patient privacy has always been addressed in their practice, however; all providers must institute changes to meet the letter of the new privacy law. Providers must have documented policies and practices clearly stating patient privacy and protected health information security, even if you are a solo practitioner with no employees. Patients must receive policies from you regarding consent, authorization, disclosure and rights.
	Examples of 2 Useful Forms For Your Office    Notice of Our Privacy Practices         Adobe Acrobat Version        Word Version    Patient Release Form         Adobe Acrobat Version        Word Version
	Notice of Privacy Practices for Protected Health Information This Adobe Acrobat file states: "The HIPAA Privacy Rule gives individuals a fundamental new right to be informed of the privacy practices of their health care plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information".
	Top 12 Misconceptions About HIPAA Compliance Becoming HIPAA compliant is a requirement every health care provider must address. Payers, managed care organizations and malpractice insurance companies are progressing toward meeting the demands of HIPAA for their own organizations, which will restrict the level of participation for those providers who have not done so.
	Privacy Notices: The First Level of HIPAA Violations If you don't use any other health services, you may not realize that virtually every other health-care entity provides a “Notice of Privacy Practices” to its patients/customers. This is an important part of HIPAA compliance that has been required of all health-care providers since the April 14, 2003 deadline. So, your patients are already receiving privacy notices from all other providers (MDs, acupuncturists, drug stores, managed care organizations, etc.) with whom they interact. Have they received your Notice of Privacy Practices?
	Centers for Medicare & Medicaid Services HIPAA Page The Administrative Simplification provisions of HIPAA include: Electronic Transactions and Code Sets, Security, Unique Identifiers and Privacy. For more information on Privacy, visit the HHS Office for Civil Rights.
	HIPAA: Beware the “Ides of April” The second half of this article outlines things that must be done:  (1)   Appoint a privacy officer: Failure to do something as basic as this will demonstrate to any agency a lack of concern, and will be significant in the event of any inquiry.   (2)   Develop and implement required privacy policies: Developing and implementing all the policies and procedures required is key to showing HIPAA compliance.   (3)   Complete a pre-emption analysis: Check with your attorney to determine if your state privacy laws conflict with HIPAA.   (4)   Develop, distribute and post notices of privacy: The notice of privacy practices is a high-visibility HIPAA requirement that will be obvious if missing.   (5)   Provide initial training to staff: If a patient sues for invasion of privacy, there will be no defense for the disregard of training.   (6)   Develop and use authorization form: Implement a release of information form that your patients must sign. Disclosure of PHI must be included.   (7)   Identify and contract with business associates: Business Associate agreements should be taken seriously.   (8)   Know patients' rights under HIPAA: Develop a brief list summarizing these rights, and be certain your staff knows them.
	HIPAA   Q  &   As with Howard Ross Here are answers to some questions generated by the "Everything You Wanted to Know" artilce below.
	The Deadline for Compliance With the HIPAA Privacy Rules Is Approaching The Department of Health and Human Services (HHS) has promulgated the regulation entitled, Standards of Privacy of Individually Identifiable Health Information, i.e., “The Privacy Rules”, which becomes effective on April 14, 2003. The Privacy Rules create national standards to protect individuals' medical records and other personal information.
	HIPAA Privacy Laws: Violators Face Jail Time, Fines up to $250,000, and No Payments by Insurance Companies Some insurance companies have already indicated they will no longer pay providers who are not compliant. Sooner or later, you are going to have to work with your lawyer, a consultant who has HIPAA expertise (whose HIPAA experience is more than the last six months) or utilize a computer program to create administrative and compliance manuals that are customized to your specific practice. Essentially, these are the only ways to become HIPAA- compliant. Boilerplate manuals will not qualify.
	An Interview with HIPAA Authority Howard Ross Let's say you faxed something out, and it went to the wrong person; the patient files a complaint, and it goes to OCR. Representatives come to your office, and you show how your equipment proves that it went to the right phone number, and that you have authorization on a patient disclosure form to use a fax or email. You have only made a mistake, and you won't be fined or penalized. Without that manual that is specific to you or your office (and if it looks like a 'boiler-plated' manual, the OCR and DHHS won't consider it applicable to your office), this complaint could result in a fine or worse. We saw this in the past, when a number of offices copied manuals, and they found that no work was done to make the manual applicable.

Return to the LINKS Table of Contents

Since 12-01-2002

Updated 5-06-2021