Health Insurance Portability and Accountability Act HIPAA Term Paper

Download this Term Paper in word format (.doc)

Note: Sample below may appear distorted but all corresponding word document files contain proper formatting

Excerpt from Term Paper:

Health Information Portability Accounting Act (HIPAA, went into effect the first quarter of 2003. Indeed, HIPAA creates federally mandated requirements regarding protected health information (PHI) that can impact any employer, regardless of its size, location or industry. Government estimates place the price tag for compliance within the public and private sectors at an estimated $22 billion. While the Privacy Rules were not aimed at regulating non-medical employers, employers who sponsor group health plans are affected, de-pending on whether the employer: (1) is fully insured or self-insured; and (2) creates or receives Protected Health Information. Protected Health Information (PHI) is defined to include all individually identifiable health information held or transmitted by a covered entity or business associate electronically or in other forms (Amatayakul, 2000). There are some exceptions. One important PHI exception is that the Privacy Rules do not apply to employment records, including medical information employers use to comply with various disability laws, such as American Disabilities Act (ADA), and workers' compensation, or to administer workplace disability policies, or substance abuse rules (Lax, 2002). Employers solely using medical information for compliance with the disability laws and workplace policy administration are not covered. Another important exception is accomplished through de-identified health information, useful to the employer in administering their health plan.

There are four components of the Privacy Rules (Amatayakul, 2000).1. Use and disclosure rules: provide for written consents that may be obtained for treat-ment, payment, and related health care operations. Authorization is required in writing to use PHI for purposes other than treatment, payment, and related health care operations, such as marketing. 2. Privacy practices notice: mandates that a privacy notice be given to the individual whose health information is being used, with the same notice being given to anyone who re-quests that information. 3. Individual rights provisions preserve the individuals right to: access and amend the information; obtain an accounting of disclosure; and secure additional protections.4. Administrative requirements: designating a privacy officer; providing a complaint responder; conducting training; and establishing security policies, including fire walls to secure the information (Lax, 2002).

The healthcare industry is familiar with the Privacy Rule HIPAA Act, however many outside the industry are not necessarily aware of the significant impact that the Privacy Rule may have on them. All employers that provides healthcare coverage to its employees, either through a fully insured or self-insured health plan, is affected by the Privacy Rule and must comply with the Rule. The U.S. Department of Health and Human Services ("HHS") is not authorized to regulate employers directly, however employers are regulated under the Privacy Rule indirectly, through the group health plans that they establish. A group health plan is considered a "covered entity," and is therefore directly regulated unless it is a small, self-administered plan with less than 50 participants. Many group health plans are contractual entities with no independent assets. Although not directly covered by the Rule, employers acting as "plan sponsors" who must administer the group health plan is responsible for ensuring that the mandate of the Privacy Rule is met. For example, although a Business Associate Agreement is not required for disclosures of protected health information, or PHI, between a group health plan and the plan sponsor, the employer will have to voluntarily agree to use or disclose such PHI only as permitted or required by the Privacy Rule.

Subject to certain exceptions, the major steps that an employer must take in order to comply with the Privacy Rule with respect to use and disclosure of PHI between the group health plan and the plan sponsor are below:

1. Create privacy policies and procedures that ensure that all PHI relating to employees is adequately protected to comply with the Privacy Rule

2. Amend group health plan documents to specify how the use of PHI will be restricted to the purposes permitted by the Privacy Rule.

3. Establish policies and procedures to ensure that consent is obtained from an employee prior to using PHI for purposes such as enrollment in a group health plan,

4. Establish "firewalls" between personnel (and workspace) associated with handling PHI for purposes of administering the group health plan and the rest of the employer's personnel and operations

5. Implement a compliance program for employees which includes appointing a privacy officer, training employees likely to come into contact with PHI, and creating a process to sanction employees who violate the employer's privacy policies and procedures

Regarding the second point above, the Privacy Rule instructs entities as to the types of restrictions that must be included in plan documents prior to any disclosures of PHI being made by the group health plan to the plan sponsor (Lax, 2002). The fourth point above is an important issue for employers because it requires them to set up firewalls in order to ensure that PHI is used for purposes of plan administration only, and not for any other employment related purposes, such as decisions on employee hiring or termination. Additionally, although the Privacy Rule does not dictate how these firewalls must be established, it does describe the general issues that must be addressed by the employer in creating such firewalls. The following issues must be included in the plan documents and include the following: 1. A description of the employees or classes of employees or other persons under the control of the plan sponsor who are to be given access to PHI; 2.Restrictions on the access to and use by such employees and other persons to permit only plan administration functions; 3. An effective mechanism for resolving issues of noncompliance by such employees or persons with the provisions set forth in the plan documents.

In connection with implementing a compliance program, group health plans are exempt from these requirements if they provide health benefits solely through an insurance contract with a health insurance issuer or an HMO and they do not create or receive PHI except for summary health information, or information regarding the status of an individual's enrollment, or disenrollment from the HMO or health insurance issuer. It is important to note that employers must consider their activities not only in the context of use and disclosure of PHI between the group health plan and the plan sponsor, but also in the context of any disclosures of PHI to a third party. A disclosure from the group health plan to a third party administrator would require adequate assurances of confidentiality, and would require a business associate agreement under the Privacy Rule before PHI could be disclosed.

While the HIPAA privacy rule raises a number of questions for employers, there are limited circumstances under which employers and covered entities can share protected health information without employee authorization. According to the final regulation, a covered entity may disclose PHI to an employer for public health activities under four conditions (Lax, 2002). First, HIPAA mandates the covered entity must be a covered health care provider who is either a member of the employer's workforce or is contracted by the employer for the purposes of performing a medical surveillance of the workplace or evaluating whether an individual has a work-related illness or injury. The PHI that is disclosed must consist of findings from that surveillance or investigation. The employer must also be seeking this information to comply with Occupational Safety and Health Administration (OSHA) or Mine Safety and Health Administration (MSHA) guidelines, or under a state law that has a similar purpose. The employer would need these findings to record an illness or injury or to carry out its responsibilities for workplace medical surveillance, according to the regulation. For example, OSHA requires employers to monitor employees' exposures to certain substances and to take specific actions when an employee's exposure level to a substance exceeds a specific limit. A covered entity might test an individual for such exposure…[continue]

Cite This Term Paper:

"Health Insurance Portability And Accountability Act HIPAA" (2005, February 27) Retrieved December 6, 2016, from

"Health Insurance Portability And Accountability Act HIPAA" 27 February 2005. Web.6 December. 2016. <>

"Health Insurance Portability And Accountability Act HIPAA", 27 February 2005, Accessed.6 December. 2016,

Other Documents Pertaining To This Topic

  • Health Insurance Portability and Accountability Act HIPAA

    Health Insurance Portability and Accountability Act (HIPAA) Discuss whether there has been a violation of Health Insurance Portability and Accountability Act (HIPAA)? There are no court rulings that can shed light on the issue. However going by the given facts, it is as follows: "Dr. Williams shows Joan's medical records to a friend for advice. His friend tells Dr. Williams to contact his medical malpractice insurance carrier." The problem here is if

  • Health Insurance Portability and Accountability Act HIPAA

    Health Insurance Portability and Accountability Act (HIPAA) of 1996 provided for the better management of health information as well as increased health coverage for target entities. Of particular emphasis the law has is the privacy and security of health information. Prior to the implementation of HIPAA, there was an ad hoc management of health information and health coverage is very limited. Often disparate policies and standards are used from

  • Health Insurance Portability and Accountability Act

    High Insurance Portability Health Insurance Portability & Accountability Act Some hope was given for the current legal environment to become better defined for health-care providers when Health Insurance Portability & Accountability Act (HIPAA) was passed by the in 1996. As previously mentioned, HIPAA is a monumental act that attempts to address and incorporate all three issues-- privacy, confidentiality, and security within one law. When HIPAA was passed, many applauded the portability aspects

  • HIPAA the Health Insurance Portability and Accountability Act of...

    HIPAA (the Health Insurance Portability and Accountability Act of 1996) and Recent Changes On August 21, 1996 a new law was signed called the Health Insurance Portability and Accounting Act of 1996, which is abbreviated as HIPPA (HEP-C, 2003 & Regence, 2003). The law guarantees many things to American workers, including continuous healthcare coverage for people who are changing jobs (DC, 2003). HIPPA also includes a provision that details the manner

  • Health Insurance Portability and Accountability

    d.) the variations HIPAA necessitates would be sufficient and the changes would be accompanied by remarkable uneasiness in several respects. Functioning in the type of high-security setting visualized by the proposed HIPAA security regulations would imply functioning under regular surveillance and with concentration to making medical record information as being secure. Whether in relation to paper or electronic form, information relating to medical record could not be any longer

  • Health Insurance Portability and Accountability

    The dilemma is often easier to resolve once those emotions and assumptions are put into their rightful context. For this paper, critical thinking came into play was logic. It is understood that initially the nursing profession had issues with HIPAA. These issues were practical, however, and when the law was matched up against the underlying principles and the Code of Ethics, it became apparent that the guidelines that can be

  • Cobra Health Insurance Health Insurance How Cobra

    COBRA Health Insurance Health Insurance How COBRA Works Davis was terminated from his employment because of long absence from work and not because he voluntarily resigned or any gross negligence on his part. Therefore, he and his family are eligible for health insurance coverage under the Consolidated Omnibus Budget Reconciliation Act (COBRA) provided his company maintains its group health plan and still has 20 or more employees for which they currently have 100.

Read Full Term Paper
Copyright 2016 . All Rights Reserved