The Health Insurance Portability and Accountability Act of 1996 (HIPAA) provides provisions on the disclosure and use of an indivudal's health information. The MHCC provides resources to assist the health care industry in complying with the HIPAA rules for privacy and security. Users of this information are encouraged to implement the HIPAA privacy and security standards in a manner that is reasonable and consistent with their organizational structure. HIPAA protects the confidentiality of a person’s identifiable health information via electronic media. This regulation:
Gives patients control over the use of their health information;
Defines the boundaries for the use and disclosure of health records by covered entities, which can include a health plan, healthcare clearinghouse, and a healthcare provider
Limits the use of personal health information (PHI) and minimizes the chances of inappropriate disclosure;
Establishes standards that healthcare providers must comply with
Makes provisions for investigating compliance-related issues and holds violators accountable with civil or criminal penalties for violating the privacy of an individual PHI; and
Supports the cause of disclosing PHI without individual consent for individual healthcare needs, public benefit, and national interests
The MHCC has developed the following documents that provide guidance in understanding and implementing HIPAA
- Key HITECH Changes to HIPAA
The Health Information Technology for Economic and Clinical Health Act (HITECH or Act) was passed by the federal government under the American Recovery and Reinvestment Act of 2009. HITECH represents a historic investment in health information technology to improve the quality of health care delivery and patient care. HITECH made changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), particularly with regards to strengthening the privacy and security of protected health information (PHI) and increasing the penalties for violations of HIPAA. This chart summarizes key modifications to HIPAA by HITECH, which began to take effect in 2010.
- HIPAA - A Guide to Privacy Readiness, v.4
This guide discusses how covered entities and Business Associates hold and disclose a person’s individually identifiable health information, whether electronically, on paper, or orally. With the passage of the American Recovery and Reinvestment Act of 2009 (ARRA), the guide also addresses such areas as the reporting of a breach in security or the privacy of unsecured protected health information (PHI), the inclusion of business associate’s with the reporting of breaches, and the disclosure of a limited data set or “minimum necessary” PHI.
HIPAA - A Guide to Security Readiness
This guide provides the leading best practices in implementing the security standards designed to protect the confidentiality, integrity, and availability of electronic protected health information that is created, received, maintained, or transmitted by a covered entity, which includes payers, providers, claims clearinghouses, and business associates
State versus Federal Comparison: HIPAA Privacy Statute & Regulation
This document compares the similarities and differences in regulations addressing privacy of health care information between the Maryland Confidentiality Of Medical Records Act (MCRMA) and the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA).
CMS HIPAA Security Guidance: Portable Devices and External Systems or Hardware This document provides information on how a covered entity and Business Associate may protect electronic protected health information (EPHI) when accessed or used offsite, or outside the organization’s physical environment. These guidelines on the remote access to or use of EPHI places emphasis on: risk analysis and risk management strategies; policies and procedures for safeguarding EPHI; and security awareness and training on the policies and procedures for safeguarding EPHI
National Provider Information (NPI) Timeline This document discusses the requirements for health care providers who are considered a HIPAA covered entity to obtain and use standard unique identifiers or an NPI with the submission of HIPAA standard electronic transactions, which include electronic claims, eligibility, claim status, or remittance
Last Updated: August 8, 2012