CHAPTER 8
HIPAA
LEARNING OBJECTIVES
In this PowerPoint presentation, we will learn about:

What is HIPAA?

HIPAA – Use and Need

Titles of HIPAA

Administrative Simplification and Privacy – Six Divisions

HIPAA Compliance & Violation

Business Associate (BA) & Business Associate Agreement
(BAA)

HIPAA – Indian Hospitals and Healthcare BPOs and KPOs
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
1
CHAPTER 8
HIPAA
RULES & REGULATIONS
It is crucial for every business organization to conform
to the appropriate rules and regulations set by the
governing bodies from time to time so as to stay clear
from any unexpected hurdles in the future.
Following all the rules and regulations as laid down by
the authorities also projects a superior image of the
organization over its competitors in the eyes of the
general public.
Healthcare BPO and healthcare KPO both have identical
organizational structure and differ only in the type of
staff involved to perform the job.
Healthcare BPO and healthcare KPO are also governed by the
same rules and regulations.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
2
CHAPTER 8
HIPAA
HIPAA
HIPAA stands for The Health Insurance Portability and
Accountability Act.
HIPAA was enacted by the 104th United States Congress and
signed by President Bill Clinton in 1996.
The primary goal of the HIPAA is to mainly focus on the
privacy and security of patient health information.
It mandates uniform standards and formats for electronic
health information and code sets for routine types of
health transactions.
HIPAA has undergone several updates and revision and the
most significant change of them all has been the inclusion
of the HITECH Act.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
3
CHAPTER 8
HIPAA
HIPAA
While privacy and security of patient health information
is its primary goal, HIPAA also focuses on reducing the
administrative costs of the healthcare facilities with the
help of electronic data exchange.
It has a specific focus on trying to minimize the
healthcare fraud and abuse of medical benefits and also
imposing fines and penalties for organizations who are not
complying with the HIPAA.
The Health Insurance Portability and Accountability Act
(HIPAA) is also sometimes referred to as the Kennedy–
Kassebaum Act.
It provides better healthcare access and portability and
renewability of health insurance coverage.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
4
CHAPTER 8
HIPAA
HIPAA
Consumer satisfaction is of utmost importance in modern
organizations.
The patient’s satisfaction in a healthcare setup can be achieved
through two steps,
1)
By providing the best possible treatment and care to the
patient.
2)
By protecting the medical information of the patient from
falling into the wrong hands.
The first step can be achieved at the physician’s level, but the
second step needs a comprehensive effort from the physician as
well as the hospital administrative staff.
During the early 1990s, several complaints were filed by the
patients regarding the improper handling of their medical
records, divulging the medical records to unauthorized persons,
and revealing more personal medical records than necessary to
others without patient’s authorization. This led to a great hue
and cry for a law that would address all these issues.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
5
CHAPTER 8
HIPAA
HIPAA
Due to the digitization of patient health information, the
security and privacy aspect of the medical information
became more critical and needed a comprehensive rule to be
put in place to avoid any medical data breach and
detailing consequences following the breach.
Therefore, HIPAA was ordained by the United States as an
effectual way of assuring the patients that healthcare
facilities are committed to protecting the patient health
information.
The main contention of HIPAA was that once this law is put
in place, it would compel the healthcare organizations,
providers, and individuals to handle PHI more carefully
and exercise appropriate precaution to ensure it is not
misused or accessed without authorization.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
6
CHAPTER 8
HIPAA
FIVE TITLES OF HIPAA
HIPAA is usually made up of five subsections.
These subsections are also known as titles and represented
as title I, title II, title III, title IV, and title V.
The privacy of the patient health information, the
security of the patient health information, and various
incentives and tax-related provisions fall under the
purview of these five titles.
Title I:
Title I of HIPAA consists of provisions that are intended
to improve the healthcare access, portability, and
renewability of insurance coverage of individuals or
families and groups of individuals who are covered under
any insurance plans.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
7
CHAPTER 8
HIPAA
FIVE TITLES OF HIPAA
Title I:
It provides special rights to the individuals or families so that
they can retain the insurance coverage in case of changing jobs
from one company to another.
It also contains an important provision that provides for nondiscrimination of any individual from giving limited-period
insurance coverage or disease-specific insurance coverage in a
group health plan unless the restriction is imposed on the whole
group health plan.
Title II:
Title II of HIPAA consists of provisions which are directed
towards focusing on preventing healthcare fraud and abuse,
administrative simplification and privacy, and medical liability
reform.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
8
CHAPTER 8
HIPAA
FIVE TITLES OF HIPAA
Title II:
It is the most important title of all the existing five
titles and is again made up of seven subtitles. All the
seven subtitles or provisions are intended to combat fraud
and abuse and to try to simplify the administration of the
health insurance and health care delivery systems.
The most important of all the seven subtitles or
provisions is the administrative simplification and
privacy.
The administrative simplification and privacy comprises of
six subdivisions, viz, privacy rule, electronic
transactions rule, code sets rule, security rule, unique
identifiers rule, and enforcement rule.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
9
CHAPTER 8
HIPAA
FIVE TITLES OF HIPAA
Title II:
We will discuss the administrative simplification and
privacy part of HIPAA in detail as it is the only title
that affects the Indian healthcare BPOs and KPOs which are
outsourcing work from United States.
Title III:
Title III of HIPAA especially amended the US Internal
Revenue Code (IRC) of 1986 to provide for tax-related
health provisions for deductions.
It provides for various tax deductions for health
insurance and reforms health insurance law.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
10
CHAPTER 8
HIPAA
FIVE TITLES OF HIPAA
Title IV:
Title IV of HIPAA constitutes of application and enforcement of
group health insurance requirements. We can say that Title IV
establish guidelines for the enforcement of Title I.
It specifies conditions for group health plans regarding coverage
of persons with pre-existing conditions, and modifies
continuation of coverage requirements.
Title V:
Title V of HIPAA deals with the amendment of the US Internal
Revenue Code (IRC) of 1986 by repealing the IRC’s financial
institution rule to interest allocation rules.
It includes provisions to regulate the employer’s tax deductions
related to company-owned life insurance and treatment of
individuals who lose or give up the U.S. citizenship for income
tax reasons.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
11
CHAPTER 8
HIPAA
FIVE TITLES OF HIPAA
All the five titles of HIPAA which are explained above
usually can be categorized into two major divisions, that is,
(1)
(2)
Administrative simplification and privacy which takes
care of the accountability part of HIPAA
&
Insurance reform and tax-related provisions which
takes care of the portability and revenue offset part
of HIPAA.
Administrative simplification and privacy part of HIPAA has a
bearing on the healthcare providers, examples, physicians,
hospitals, home healthcare facilities, pharmacies, etc.
Insurance reform and tax-related provision division of HIPAA
has a bearing on the employers and payers, examples,
Medicare, Medicaid, etc.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
12
CHAPTER 8
HIPAA
INSURANCE REFORM AND TAX-RELATED PROVISION
Prominent features of the insurance reform are as
follows:
1)
2)
3)
4)
It provides for non-discrimination based on
specific health condition under group health
plan.
If a new member of a group health plan has any
pre-existing condition but has prior creditable
coverage in such case insurance reform prevents
health insurers from imposing any exclusion.
It enables individuals to retain their health
insurance coverage when switching from one job to
another and from one state to another state
within the country.
It also provides guarantee that the health
payers must periodically renew the health plan.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
13
CHAPTER 8
HIPAA
ADMINISTRATIVE SIMPLIFICATION AND PRIVACY
In India whenever we come across the word HIPAA, it almost
90% to 95% of the time refers to only the administrative
simplification and privacy part of HIPAA.
Basic functions of administrative simplification and privacy
are as follows:
1)
2)
3)
4)
5)
It protects the PHI by providing guidelines for
privacy and security implementation.
It focuses on reducing medical fraud and abuse.
It tries to set forth several rules for secure
transfer of PHI over the Internet.
It provides the road map to reduce the overhead costs
of administrative activities.
It tries to improve the healthcare services by
implementing centralized clinical database access.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
14
CHAPTER 8
HIPAA
ADMINISTRATIVE SIMPLIFICATION AND PRIVACY
Subdivision of Administrative Simplification & Privacy
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
15
CHAPTER 8
HIPAA
ADMINISTRATIVE SIMPLIFICATION AND PRIVACY
Electronic transaction rule:
It is also sometimes colloquially referred to as
electronic data interchange (EDI) rule since it
requires use of standard electronic formats for
transfer of healthcare information between two
parties (covered entities).
HIPAA has adopted certain standard electronic
transactions for electronic data interchange (EDI)
of administrative healthcare data.
Electronic transaction rule was published on October
16, 2003 and its final compliance date was set to be
January 1, 2012.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
16
CHAPTER 8
HIPAA
ADMINISTRATIVE SIMPLIFICATION AND PRIVACY
Code sets rule:
Code sets rule defines the standardized medical and
non-medical data code sets to be used as applicable
by covered entities which are involved in any kind
of electronic transactions.
There are two types of code sets, viz,

Medical code sets

Non-medical code sets.
Code sets rule was issued on October 16, 2003 and
its final compliance date was set to be October 1,
2014 which again was proposed to be postponed to
October 1, 2015 to accommodate for ICD-10.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
17
CHAPTER 8
HIPAA
ADMINISTRATIVE SIMPLIFICATION AND PRIVACY
Medical code sets rule:
HIPAA has approved the following medical code sets,
viz,
ICD-10
International Classification of Diseases
CPT
Current Procedural Terminology
HCPCS
Health Care Procedure Coding System
NDC
National Drug Codes
CDT
Current Dental Terminology
Non-medical code sets:
HIPAA has approved the following non-medical code sets,
viz,
Telephone and Fax Numbers, Zip Codes, SSN, MRN, etc.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
18
CHAPTER 8
HIPAA
ADMINISTRATIVE SIMPLIFICATION AND PRIVACY
Unique identifiers rule:
Unique Identifier Rule of HIPAA mandates the use of standard
unique identifier for employers and healthcare providers.
Accordingly, every employer has to obtain an Employer
Identification Number (EIN) (sometimes known as (FEIN)
Federal Employer Identification Number) unique to them and
every healthcare provider has to obtain a National Provider
Identifier (NPI) unique to them.
The Employer Identification Number (EIN) or Federal Employer
Identification Number (FEIN) is a unique 9-digit
identification number issued by the United States Internal
Revenue Service (IRS) to business entities operating in the
United States for the purposes of identification. It can be
termed as similar to Tax Deduction Account Number (TAN)
issued to employers of India.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
19
CHAPTER 8
HIPAA
ADMINISTRATIVE SIMPLIFICATION AND PRIVACY
Unique identifiers rule:
The National Provider Identifier (NPI) is a unique 10digit identification number issued to healthcare
providers in the United States by the Centers for
Medicare and Medicaid Services (CMS), details of which
can be obtained from the official website
https://nppes.cms.hhs.gov
Employer Identification Number (EIN) and National
Provider Identifier (NPI) will be used by the covered
entities in any kind of electronic communications for
identification.
Unique Identifier Rule was published on May 31, 2002
and its compliance date was set on July 30, 2004.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
20
CHAPTER 8
HIPAA
ADMINISTRATIVE SIMPLIFICATION AND PRIVACY
Privacy Rule:
Privacy rule regulates the use and disclosure of
protected health information by covered entities and
lists the 18 personal identifiers.
Protected health information (PHI) is any
information such as individual’s medical and
demographic information, provision of healthcare
information, or payment for healthcare information
that can be easily linked to the individual.
PHI can be in electronic format or paper format.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
21
CHAPTER 8
HIPAA
ADMINISTRATIVE SIMPLIFICATION AND PRIVACY
Privacy Rule:
Personal identifiers are information that is unique to an
individual and can reveal the individual’s identity.
There are 18 personal identifiers and any health information
by itself without these 18 identifiers is not considered to
be PHI.
In case an employee stumbles upon any of the 18 personal
identifiers, either due to malicious or unintentional
tampering of any other personnel, he should immediately
notify it to his superior so that adequate measures should be
put in place to contain the breach.
The Privacy Rule was published on December 28, 2000 and the
compliance date was set to be April 14, 2003.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
22
CHAPTER 8
HIPAA
ADMINISTRATIVE SIMPLIFICATION AND PRIVACY
18
Personal
Identifiers
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
23
CHAPTER 8
HIPAA
ADMINISTRATIVE SIMPLIFICATION AND PRIVACY
Security Rule:
Security rule of HIPAA establishes standards to protect
individuals’ electronic protected health information.
Usually due to being closely related, security rule and
privacy rule are often used interchangeably in Indian
healthcare BPOs and KPOs.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
24
CHAPTER 8
HIPAA
ADMINISTRATIVE SIMPLIFICATION AND PRIVACY
Security Rule:
The privacy rule and security rule differ in the sense that
privacy rule covers the gamut of protected health information
(PHI) including paper and electronic, whereas security rule
specifically focuses on electronic protected health
information (ePHI) creation, transmission, and management.
Security rule encompasses three types of security safeguards
to maintain the confidentiality of the electronic protected
health information (ePHI) in any healthcare system.
The three basic safeguards are,

Administrative safeguards

Physical safeguards

Technical safeguards
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
25
CHAPTER 8
HIPAA
ADMINISTRATIVE SIMPLIFICATION AND PRIVACY
Security Rule:
All the safeguards (administrative, physical, and technical)
have their own implementation specifications labeled as
“Required” (R) or “Addressable” (A) which appears in
parentheses after the title of the implementation
specification.
If an implementation specification is labeled as “Required,”
the specification must be implemented.
If an implementation specification is labeled as
“Addressable,” it provides the covered entity some
flexibility with respect to compliance with the security
rule.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
26
CHAPTER 8
HIPAA
ADMINISTRATIVE SIMPLIFICATION AND PRIVACY
Security Rule:
In case an implementation specification is labeled as “Addressable,”
covered entities have to choose one of the following three options:
i)
Implement the addressable implementation specification.
ii)
Implement any other alternative security measure (Example, if
implementation of addressable specification is prohibitively
expensive).
iii)
Do not implement either an addressable implementation
specification or an alternative security measure (Document the
rationale for the decision).
Smaller medical facilities that are unable to bear the cost of
expensive technological solutions may opt for an alternative solution
or no solutions at all as long as the objectives of HIPAA are
accomplished.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
27
CHAPTER 8
HIPAA
ADMINISTRATIVE SIMPLIFICATION AND PRIVACY
Security Rule:
Breakdown of the HIPAA security rule implementation
specification into “Required” (R) and “Addressable” (A)
are as follows:
The Security Rule was published on February 20, 2003 and
the compliance date was set to be April 21, 2005.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
28
CHAPTER 8
HIPAA
ADMINISTRATIVE SIMPLIFICATION AND PRIVACY
Administrative safeguards
Administrative safeguards details the policies and procedures
that all the covered entities should enforce in order to
ensure the prevention, detection, containment, and correction
of security violations.
It includes implementation features consisting of a risk
analysis, risk management, and sanction and security
policies.
It creates strong sanction and security policies to define
and analyze the risks to the ePHI both internally and
externally and take precautionary steps to prevent or contain
those risks so that the entity remains HIPAA complaint.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
29
CHAPTER 8
HIPAA
ADMINISTRATIVE SIMPLIFICATION AND PRIVACY
Administrative safeguards
Some of the main features of administrative safeguards:




All the covered entities should periodically conduct an
internal audit or information system activity review and
document it properly. Internal audit should also be conducted
whenever an incident or event occurs.
Covered entities should appoint privacy and security officers
who will be responsible for implementing HIPAA requirements
and will be accountable in case of any ePHI security breach.
Authorization of access should be granted strictly to minimum
required data of ePHI.
It should document detailed sanction policy set in place for
employees who fail to comply with the security policies, for
example, verbal warning for inadvertent disclosure of PHI on
first occurrence, written warning on second occurrence, and
termination of employee on third occurrence.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
30
CHAPTER 8
HIPAA
ADMINISTRATIVE SIMPLIFICATION AND PRIVACY
Administrative safeguards
Some of the main features of administrative safeguards:





Covered entity should ensure its business associate are HIPAA
compliant and have business associate agreement as well as
nondisclosure agreement in place.
Covered entities should develop a training calendar and
provide HIPAA training to all its new recruits and a refresher
HIPAA training for its employees on a periodic basis.
Maintain written documentation of the policies and procedures
in case of any emergency, natural or man-made, detailing ways
to recover or backup the medical data.
Employees should be trained to protect their log-in and access
passwords.
Written policies to prove the covered entities’ HIPAA
compliance in case an employee or a business associate
deliberately causes data breach.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
31
CHAPTER 8
HIPAA
ADMINISTRATIVE SIMPLIFICATION AND PRIVACY
Physical safeguards
Physical safeguards are physical control measures housed
within facilities to protect a covered entity’s electronic
information systems and related buildings and equipment, from
natural and environmental hazards, and unauthorized
intrusion.
It controls the physical access of electronic protected
health information by any unauthorized personnel.
Physical safeguard focuses on the following key areas:
Assigned security responsibility, media controls, physical
access controls, policies and guidelines on workstation use,
a secure workstation location, and security awareness
training.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
32
CHAPTER 8
HIPAA
ADMINISTRATIVE SIMPLIFICATION AND PRIVACY
Physical safeguards
Some of the main features of physical safeguards:


Every covered entity must have a stringent physical
access control to ensure that the sensitive ePHI is
only accessed by the intended authorized personnel.
This can be established by making use of biometric
devices, locks, alarms, security guards, and closedcircuit television (CCTV) cameras.
Physical measures must be implemented to ascertain
that any hardware and software installation and
uninstallation are impregnable, and whenever a piece
of hardware is required to be disposed off, it
should be done in a safe and secure manner.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
33
CHAPTER 8
HIPAA
ADMINISTRATIVE SIMPLIFICATION AND PRIVACY
Physical safeguards
Some of the main features of physical safeguards:




Daily logs should be maintained for routine
maintenance visits and visitor’s sign-in.
Workstations handling sensitive health information
should not be in the direct view of the public and it
should be devoid of any removable drives, such as CD
or DVD drive, and if any removable drive is present,
it should be secured.
Data backup should be encrypted and stored in a
different secure location.
If the covered entity outsources its work to any other
vendor, it needs to ensure that they comply with the
physical safeguards of HIPAA.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
34
CHAPTER 8
HIPAA
ADMINISTRATIVE SIMPLIFICATION AND PRIVACY
Technical safeguards
Technical safeguards deals policy and procedures and
employment of latest technology to control access to
computer systems, protect ePHI at rest, and protect ePHI
when transmitted electronically over open networks from
being intercepted by anyone other than the intended
recipient.
Technical safeguard proposes five technical security
services requirements with supporting implementation
features, viz, Access control, Audit controls,
Authorization control, Data authentication, and Entity
authentication.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
35
CHAPTER 8
HIPAA
ADMINISTRATIVE SIMPLIFICATION AND PRIVACY
Technical safeguards
Some of the main features of technical safeguards:


Covered entities should maintain documentation that
includes record of all configuration settings of
workstations, servers, and network devices.
Covered entity must implement electronic measures for
entity authentication, the corroboration that an
entity is who it claims to be.
“Automatic logoff” and “Unique user identification”
were specified as mandatory features and needs to be
coupled with at least one of the following features:
(1) A biometric identification system, (2) a password
system, (3) a personal identification number, and (4)
telephone callback, or a token system that uses a
physical device for user identification.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
36
CHAPTER 8
HIPAA
ADMINISTRATIVE SIMPLIFICATION AND PRIVACY
Technical safeguards
Some of the main features of technical safeguards:




Covered entity should ensure the data has not been altered or
destroyed in an unauthorized manner through data integrity and
authentication mechanisms, for example, “error-correcting
memory,” “digital signature,” and “magnetic disc storage.”
Encryption must be employed to protect the security of ePHI
being transmitted electronically from one point to another
over open networks. If the data is at rest in a closed
network and existing access controls are considered
sufficient, then encryption is optional.
If the covered entity outsources its work to any other vendor,
it needs to ensure that they comply with the security
safeguards of HIPAA.
All workstations should have the latest malware, spyware, and
antivirus installed and updated periodically and a log of the
same should be maintained.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
37
CHAPTER 8
HIPAA
ADMINISTRATIVE SIMPLIFICATION AND PRIVACY
Enforcement Rule
Enforcement rule of HIPAA sets forth rules and regulations,
which constitutes investigational procedures, court hearings,
and most importantly establishes civil monetary penalties in
case of any HIPAA rule violations.
In its early days, HIPAA focussed more on voluntary
compliance, which did not seem to work, therefore,
enforcement rule was enacted.
The civil prosecution of security and privacy rule of HIPAA
is enforced by the HHS’ Office of Civil Rights (OCR), the
criminal prosecution of security and privacy rule of HIPAA is
enforced by the United States Department of Justice (DOJ).
Enforcement Rule was published on April 14, 2003 and its
compliance date was set to be March 16, 2006.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
38
CHAPTER 8
HIPAA
HIPAA VIOLATION
There are grave consequences of not complying with the
HIPAA laws both in terms of monetary penalties and prison
time.
Non-compliance with any of the HIPAA rule is considered as
a civil offense and the HHS’ Office of Civil Rights (OCR)
enforces a penalty of $100 per person per violation with a
cap of $25,000 per year for similar type of violations.
If there is any unauthorized access or disclosure of
protected health information with any malicious intent
(such as to sell, alter, transfer, or destroy), it is
considered as an criminal offence and the United States
Department of Justice (DOJ) enforces a penalty of minimum
$50,000 and maximum $250,000 AND/OR minimum prison time of
1 year and maximum 10 years.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
39
CHAPTER 8
HIPAA
HIPAA VIOLATION
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
40
CHAPTER 8
HIPAA
HITECH Act 2009
There have been several amendments in HIPAA but the most
significant of all has been the HITECH Act.
Health Information Technology for Economic and Clinical Health
(HITECH) Act promulgated various prominent changes to HIPAA.
Major changes enforced by HITECH Act 2009 to HIPAA are as
follows:




It is through the HITECH Act that the business associates
of the covered entities have come under the purview of the
HIPAA and are accountable for any violations of HIPAA.
HITECH Act implemented the breach notification rule.
HITECH Act also set forth stage 1 and stage 2 requirements
of meaningful use of EHR.
HITECH increased the civil and criminal penalties for
violations of the HIPAA rules.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
41
CHAPTER 8
HIPAA
HIPAA COMPLIANCE
Prior to the HITECH Act 2009, only the covered entities,
that is, healthcare providers, healthcare clearing house,
and health plan came under the purview of HIPAA.3
After the inclusion of HITECH Act 2009 into HIPAA,
business associates as well as subcontractors were also
subjected to be compliant with HIPAA and maintain the same
level of confidentiality and security as the covered
entities.
HIPAA compliance is an ongoing process and periodic risk
analysis and management needs to be performed in order to
attain the same.
This periodic risk analysis needs to be performed by the
privacy and security officers.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
42
CHAPTER 8
HIPAA
HIPAA COMPLIANCE
Covered Entity (CE)
The administrative simplification and privacy rule of
HIPAA states that any entity that directly handles the
protected health information is a covered entity.
Covered entity under the HIPAA law can be any of the
below-mentioned three types of entities:
1)
2)
3)
Healthcare providers who electronically transmit any
protected health information.
Healthcare clearing house.
Health plan.
If any covered entity outsources its healthcare functions
to a business associate, the covered entity must have a
written business associate agreement.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
43
CHAPTER 8
HIPAA
HIPAA COMPLIANCE
Healthcare Providers
Healthcare provider is any individual or organization who
furnishes, bills, or is paid for healthcare in the normal course
of business.
All healthcare providers are NOT covered entity.
A healthcare provider is termed as a covered entity only if it
transmits any protected health information electronically in
connection with a transaction. The transmission of the
electronic information can be directly or through a business
associate.
Examples of healthcare providers are physicians, clinics,
hospitals, pharmacies, etc. A social worker involved in the
healthcare of the patients but does not perform any standard
electronic transactions is a healthcare provider but not a
covered entity.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
44
CHAPTER 8
HIPAA
HIPAA COMPLIANCE
Healthcare Clearing House
Healthcare clearing house is any public
or private entity that either process
or facilitate the processing of electronic
protected health information received
in a nonstandard format or data content
into standard format or data content or
electronic protected health information
received in a standard format or data
content into a nonstandard format or data
content for various covered entities.
Examples of healthcare clearing house
are Navicure, Ingenix, FusionEDI, etc.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
45
CHAPTER 8
HIPAA
HIPAA COMPLIANCE
Health Plan
Health plan is any individual or group plan or combination of both
that provides or pays for the cost of medical care.
Examples of health plan are health maintenance organization, Medicare,
Medicaid, etc.
Business Associate (BA)
Business associate is any person or entity who performs certain
functions or activities involving use or disclosure of protected
health information on behalf of a covered entity but is not part of
the covered entity’s workforce.
Some of the business associates functions and activities are claims
processing, transcription, billing, coding, data analysis and
management, quality assurance and management, etc.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
46
CHAPTER 8
HIPAA
HIPAA COMPLIANCE
Business Associate Agreement (BAA)
Business Associate Agreement (BAA) is the service agreement of a
covered entity with a business associate. It is also known as
Business Associate Contract (BAC).
It is mandatory under HIPAA that every covered entity, which utilizes
the services of a business associate to perform any functions or
activities involving use or disclosure of protected health
information, should enter into a written agreement.
Guidelines for an ideal business associate agreement (BAA):

It should specify the administrative, physical, and technical
safeguards put in place by the business associate to prevent
any kind of data misuse.

It should mention the permitted uses and disclosures of the
protected health information by the business associate as
required by the contract or as required by the law.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
47
CHAPTER 8
HIPAA
HIPAA COMPLIANCE
Business Associate Agreement (BAA)




The BAA should cite that in the event of any data breach it
will be immediately notify the covered entity and initiate
necessary steps to contain the data breach.
The agreement should also mention an unconditional termination
of the contract by the covered entity in case the covered
entity is suspicious of any data breach or possible misuse of
ePHI by the business associate.
The BAA should be executed in such a manner that each and
every person handling the protected health information is
accountable for any misconduct.
BAA should also clearly delineate the responsibilities of the
business associate of proper handover or disposal of hardware
and software containing ePHI in case of contract termination.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
48
CHAPTER 8
HIPAA
HIPAA COMPLIANCE
Subcontractor or Independent Contractor
Sometimes the business associates need to outsource work to a
different vendor. These vendors are known as subcontractor or
subvendor or independent contractor.
Ideally, a subcontractor is a business associate of a business
associate, hence all the rules and regulations of the business
associate are applicable to the subcontractor as well.
The BA should also send the subcontractor a due diligence
questionnaire to comply with the HIPAA.
Chain of Trust (COT) Agreements are aggregate of all the business
associate agreements (BAAs) that exist right from the covered entity
to each and every entity that has had access to protected health
information.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
49
CHAPTER 8
HIPAA
HIPAA – INDIAN HOSPITALS AND HEALTHCARE BPO AND KPO
Compliance of HIPAA for Indian hospitals and Indian healthcare BPO and
KPO is still a grey area and is being widely debated.
Some experts believe that the offshore vendors fall into the business
associate (BA) definition and should follow all the rules and
regulations to be HIPAA compliant as for the covered entity (CE), but
some experts are of the view that in the absence of any mention of an
offshore vendor located outside the U.S. in HIPAA, it is unclear if
the U.S. Department of Health and Human Services has any legal right
to take any action against an offshore contractor, and even if the
HHS’ Office for Civil Rights did choose to pursue action against an
offshore BA, does HIPAA provide for any such investigation to be
carried out on foreign land.
Albeit argumentative, Indian healthcare BPO and KPO maintain voluntary
compliance of HIPAA.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
50
CHAPTER 8
HIPAA
HIPAA – INDIAN HOSPITALS AND HEALTHCARE BPO AND KPO
In the absence of any detailed mandatory security and privacy laws in
the hospitals in India except for a few guidelines set by the Medical
Council of India (MCI), Indian hospitals in a bid to achieve
international standards in order to increase their medical tourism
business from US as well as other Western and European countries are
trying to be HIPAA compliant.
To facilitate smooth healthcare services, American Medical Association
(AMA) insists on accreditation of the hospital and the handling and
transfer of the medical records should be according to the HIPAA
guidelines.
This is the reason why several hospitals in India are now vying for
the National Accreditation Board for Hospitals & Healthcare Providers
(NABH) and National Accreditation Board For Testing and Calibration
Laboratories (NABL) accreditation, Quality Council of India as it is
accepted by the ISQUa, International Society for Quality Assurance in
Healthcare.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
51
CHAPTER 8
HIPAA
HIPAA – INDIAN HOSPITALS AND HEALTHCARE BPO AND KPO
In the bid to increase flow of the business from Western and
European countries, Indian healthcare BPOs and KPOs are
implementing various measures in terms of administrative,
physical, and technical securities in order to comply with
HIPAA.
Due to the hefty civil and criminal penalties imposed by the
HITECH act 2009 on covered entities, US healthcare industry
now only outsources work to those Indian companies who are
fully HIPAA compliant.
Indian healthcare BPOs and KPOs employ privacy and security
officers (HIPAA compliance officer) or outsource the work of
security risk analysis and management to a third party.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
52
CHAPTER 8
HIPAA
HIPAA – INDIAN HOSPITALS AND HEALTHCARE BPO AND KPO
Listed below are some questions that Indian healthcare BPOs and
KPOs should always be prepared with respect to the HIPAA
compliance when dealing with a covered entity.
Twelve questions for business associate (healthcare BPOs and
KPOs):
1)
2)
3)
4)
5)
Does your organization have proper business associate
agreement (BAA) with the respective covered entity and
business associate?
Is there a full-time privacy and security officer or
consultant on your organization’s payroll?
Are all the softwares and hardwares used by your
organization HIPAA certified? If not, provide the
rationale.
Does your organization provide routine security risk
analysis and risk management?
Are all the employees of your organization regularly
trained and aware of HIPAA privacy and security
regulations?
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
53
CHAPTER 8
HIPAA
HIPAA – INDIAN HOSPITALS AND HEALTHCARE BPO AND KPO
Twelve questions for business associate (healthcare BPOs and
KPOs):
6)
7)
8)
9)
10)
11)
12)
Does your organization have all the required privacy and
security policies and procedures in place in order to
achieve HIPAA?
What are the measures taken by your organization to ensure
that use or disclosure of PHI to the employees are set
such that to only effectively perform their job duties?
In case of an employee violating HIPAA law, what is your
sanctioning policy?
Does your organization have data breach notification
policy?
Does your organization have proper disposing of PHI
policy?
Have all the employees understood signed the nondisclosure
agreement (NDA)?
What are your official policy regarding disposing of
computers containing hardwares and softwares which
contains PHI?
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
54
CHAPTER 8
HIPAA
NOT A BUSINESS ASSOCIATE ?
HIPAA has brought all entities involved in healthcare under
its purview, however, there are some exceptions on whom HIPAA
does not apply.
These employees while working in the healthcare system does
not come in direct contact of the protected health
information during the course of their job responsibilities
and the work they perform does not require the use or
disclosure of the protected health information.
Some of the examples of employees or entities that do not
qualify as a business associate are janitorial services,
plumbers, electricians, courier companies, etc.
The creation of a business associate agreement for these
employees is not necessary.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
55
CHAPTER 8
HIPAA
HIPAA CERTIFIED VERSUS HIPAA COMPLIANT
HIPAA certification is optional, BUT HIPAA compliance is
mandatory.
An individual can be HIPAA certified BUT an
organization/institution has to be HIPAA compliant.
NOTE: There is no officially sanctioned HIPAA certification,
that is, the governing body of HIPAA does not recognize any
private institutions, consultants, seminars, or systems as HIPAA
compliant/certified.
Individual HIPAA certifications offered by private institutions
are as follows:
Certified in Healthcare Privacy Compliance (CHPC)®
Certified HIPAA Privacy Security Expert (CHPSE)®
Certified HIPAA Security Expert (CHSE)®
Certified HIPAA Privacy Expert (CHPE)®
Certified HIPAA Privacy Associate (CHPA)®
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
56
CHAPTER 8
HIPAA
HIPAA CERTIFIED VERSUS HIPAA COMPLIANT
Softwares (EHR, medical billing and coding software, etc.)
have to be HIPAA certified if they are being used in a
medical facility or by covered entity.
The covered entity has to put in place specific policies
and procedures which will make it a HIPAA-compliant
organization.
Once HIPAA compliance is attained by an organization, it
is not a one-time event, the organization has to
continuously on a periodic basis conduct compliance audit
due to constant changes in the business environment and
HIPAA laws.
REVENUE CYCLE MANAGEMENT IN
HEALTHCARE
57