HIPAA for Insurance Regulation : Susan Thomas, eHEALTH

“HIPAA” is an acronym for Health Insurance Portability & Accountability Act of 1996, Public Law 104-191 of the United States of America, which amended the Internal Revenue Service Code of 1986.

HIPAA was intended to make healthcare delivery more efficient, and to increase the number of Americans with health insurance coverage. These objectives were achieved through three main provisions of the Act:

1) the portability provisions, 2) the tax provisions and 3) the administrative simplification provisions.

Before HIPAA
Prior to the passage of HIPAA, people were afraid to switch jobs or change employers out of fear that a pre-existing medical condition would disqualify them from receiving health insurance coverage from a new employer.

Administrative Simplification, encouraged the widespread use of electronic data interchange in the US health care system and required improved efficiency in healthcare delivery by standardising electronic data interchange, and protection of confidentiality and security of health data.

Health insurance was also prohibitively expensive and it used to be difficult for individuals to purchase health insurance independent of their employer. Thus the number of self-employed let alone unemployed individuals with health insurance was unacceptably low.
The use of electronic health information was expanding in the early 1990’s, and the health care industry was unable to standardize the process and use of electronic health information without federal action.

On an average some 150 people have access to a patient’s medical records during the course of a typical hospitalisation. Many of these people have legitimate reasons to access medical records. However, prior to the privacy provision in HIPAA there was no regulation on who could access medical records, what information could be accessed, and how the information found in medical records could be used in the health care system.

HIPAA simplified
Title I: Health Care Access, Portability, and Renewability

Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. It regulates the availability and breadth of group and individual health insurance plans. It also prohibits any group health plan from creating eligibility rules or assessing premiums for individuals in the plan based on health status, medical history, genetic information, or disability. Though this does not apply to private individual insurance.

The clause also limits restrictions that a group health plan can place on benefits for pre-existing conditions. Group health plans may refuse to provide benefits relating to pre-existing conditions for a period of 12 months after enrollment in the plan or 18 months in the case of late enrollment.

However, individuals may reduce this exclusion period if they had health insurance prior to enrolling in the plan. It allows individuals to reduce the exclusion period by the amount of time that they had “creditable coverage” prior to enrolling in the plan and after any “significant breaks” in coverage. “Creditable coverage” is defined quite broadly and includes nearly all group and individual health plans, Medicare, and Medicaid. A “significant break” in coverage is defined as any 63 day period without any creditable coverage.

Title I also forbids individual health plans from denying coverage or imposing preexisting condition exclusions on individuals who have at least 18 months of creditable group coverage without significant breaks and who are not eligible to be covered under any group, state, or federal health plans at the time they seek individual insurance.

Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform

Title II of HIPAA defines numerous offenses relating to health care and sets civil and criminal penalties for them. It also creates several programs to control fraud and abuse within the health care system. However, the most significant provisions of Title II are its Administrative Simplification rules. Title II requires the Department of Health and Human Services (HHS) to draft rules aimed at increasing the efficiency of the health care system by creating standards for the use and dissemination of health care information.
These rules apply to “covered entities” as defined by HIPAA and the HHS. Covered entities include health plans, health care clearinghouses, such as billing services and community health information systems, and health care providers that transmit health care data in a way that is regulated by HIPAA.

As per the requirements of Title II, the HHS has promulgated five rules regarding Administrative Simplification: the Privacy Rule, the Transactions and Code Sets Rule, the Security Rule, the Unique Identifiers Rule, and the Enforcement Rule.

Title II of HIPAA, the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.

Administrative Simplification, encou-raged the widespread use of electronic data interchange in the US health care system and required improved efficiency in healthcare delivery by standardising electronic data interchange, and protection of confidentiality and security of health data.

HHS published the final HIPAA Security Rule in the Federal Register on February 20, 2003. Health plans and providers were required to be in compliance with these measures by April 21, 2005.

The administrative simplification provisions of HIPAA also directed the development of standards for unique health identifiers (or national numbers that are used to identify the individual or organization in standard health transactions) for patients, employers, health plans, and providers.

While respect for patient privacy was already informally considered a cornerstone of  the medical professional, the complex legalities and potentially stiff penalties associated with the Privacy and Security Rules (2003) of HIPAA, as well as the increase in paperwork and the cost of its implementation, were causes for concern among physicians and medical centers.

HIPAA restrictions on researchers have affected their ability to perform retrospective, chart-based research as well as their ability to prospectively uate patients by contacting them for follow-up.

Consent forms for research studies are now required to include extensive detail on how the participant’s protected health information will be kept private. While such information is important, the addition of a lengthy, legalistic section on privacy may make these already complex documents even more user-unfriendly for patients who are asked to read and sign them.

This suggests that the HIPAA privacy rule, as currently implemented, may be having negative impact on the cost and quality of medical research.

The complexity of HIPAA, combined with potentially stiff penalties for violators, can lead physicians and medical centers to withhold information from those who may have a right to it. A review of the implementation of the HIPAA Privacy Rule by the U.S. Government Accountability Office found that health care providers were “uncertain about their [legal] privacy responsibilities and often responded with an overly guarded approach to disclosing information…than necessary to ensure compliance with the privacy rule.”

Surveys show that the American public largely distrusts HIPAA
According to a recent survey by Harris Interactive, nearly three of five Americans agree that the privacy of their health information is not well protected by federal and state laws and organizational practices. The nationwide survey of 2,392 adults was commissioned for an Institute of Medicine committee that is considering how the Privacy Rule promulgated under the Health Insurance Portability and Accountability Act of 1996 affects health research.

The fear of disclosure of their personal health information is the primary reason Americans decline to take part in clinical trials of new medicines and other health research. When asked under what circumstances they would agree to allow their personal health information be used in a research project, the largest group, 38 percent, said they wanted to know more about the project and would have to give their specific consent for each project. Other surveys too suggest that HIPAA and other privacy rules are slowing down research, adding to its cost, and in some cases, stymieing the projects.

HIPAA has made giving consent to research more complicated, with longer and more dense forms for patients to review, human research subjects’ information may be less protected. It also appears that fewer doctors are reporting communicable diseases to state authorities because of privacy concerns.

Follow and connect with us on

Related December 2007