Overview
of HIPAA
The Health Insurance
Portability and Accountability Act (HIPAA) of 1996 was enacted
by Congress to create a national standard for protecting the privacy
of patients' personal health information. The law requires healthcare
entities that use electronic means to process transactions, which
include health information, to use standardized forms and a universal
code system for illnesses and treatments. The regulation also
requires new safeguards to protect the security and confidentiality
of an individual's protected health information.
Although the law was
passed in 1996, the regulation stated that if Congress had not
passed comprehensive privacy legislation within 3 years, it would
become the responsibility of the Department of Health and Human
Services (HHS) to draft the protections.
Congress never enacted
the legislation, and on August 21, 1999 the responsibility was
passed on to the HHS. Under support from the Bush administration,
Secretary of HHS Tommy Thompson allowed the Privacy Rule to take
effect on April 14, 2001.
As required by the
new HIPAA legislation, most covered entities (Healthcare Providers,
Health Plans, and Healthcare Clearinghouses) have two years to
comply with the final privacy regulation. As of today, UTMB has
until April 14, 2003 to come into full compliance with the HIPAA
privacy standard.
The Office of Institutional
Compliance, through our newly created Privacy Office, is currently
in the process of creating new policies to be approved by the
IHOP (Institutional Handbook of Operating Procedures) committee,
which will address all of the privacy regulations. The Privacy
Office is developing a privacy-training program for all faculty,
employees, and students, which is targeted to begin in September
2002.
The proposed security
regulation has yet to be finalized, but UTMB is working to monitor
its development and to plan for its implementation. However, HHS
has not yet approved the final standards for identifiers and security.
Return
to top
Penalties for HIPAA Violations
HIPAA calls for civil
and criminal penalties for privacy and security violations, including:
-- fines up to $25K for multiple violations of the same standard
in a calendar year - fines up to $250K and/or imprisonment up
to 10 years for knowing misuse of individually identifiable health
information.
Return to top |
