Hipaa Highlights

Highlights of the privacy rule requirements:

• A privacy official from within the organization must be appointed to develop and implement the organizations' policies and procedures.
• There must be a designated contact person responsible for receiving complaints of HIPAA violations.
• Staff must be trained on policies and procedures that concern the protection of healthcare information, as it applies to their position. This training must be documented.
• Patients must be supplied with written notice of privacy practices and patients' privacy rights, including how medical information is used and disclosed. "A good faith effort" is required on the part of the provider to get written acknowledgment of this notification.
• No marketing materials can be sent to an individual without prior consent.
• Outside consultants involved in the administrative process must be contractually obligated to protect patients' privacy
• Should an employee violate the requirements, there should be penalties in place.

• Transaction and Code Sets - The Transaction and Code Sets standards (TCS) outline proper billing and electronic transaction methods for health care related organizations. The original deadline for compliance was October 16, 2002, but for those who filed for an extension, the deadline is October 16, 2003.
  
• Employer Identifier – All business that pay wages to employees have an Employer Identification Number (EIN). Under the Employer Identifier standard, all health care entities must use their EIN as their business identification number in all transactions. Deadline for compliance is July 30, 2004.
  
• Security Rule – Similar to the privacy rule, the security rule covers more complex and specific areas with regards to how electronic data is transmitted, stored, and received. Specific administrative, physical and technical security services are required to guard data integrity, confidentiality, and availability. This is where the security of the enterprise network and security policies in place will come under scrutiny.

Most covered entities have until April 14, 2003 to comply with the patient privacy rule. There are a few exceptions that allow certain small health plans to have until April 14, 2004 to comply.