HIPAA Frequently Asked Questions

Most healthcare organizations, health plans, and providers who maintain or electronically exchange health data will be required to comply with the requirements. The Department of Health will be required to comply at all levels within the organization in local clinics. Metro clinics must also adopt the requirements.

As an employee of the Department, it will be your responsibility to ensure ongoing compliance with the HIPAA rules as a daily part of your work activities. There could be civil penalties for the Department and yourself for wrongful disclosures of health data.

HIPAA has an impact on automated systems that send or receive the standard transactions. However, HIPAA also has a major impact on policy and procedures that you use daily to govern your use and disclosure of personal health information maintained in any format, whether electronic, paper, or oral.

HIPAA is not just a systems issue!

Changes to business practices will occur at all levels within the Department. Business activities that may be impacted include:

• How you may greet a customer in the reception area;
• What data you may capture at the sign-in or registration desk;
• Where you have conversations with the customers about their healthcare;
• When you need signed authorizations to release healthcare data;
• Whether you should release healthcare data over the phone;
• Where healthcare data is stored and how the data is protected from unauthorized access;
• How disclosures of healthcare data will be logged and tracked;
• How the office is organized so that personal computers, fax machines, and medical equipment are protected from unauthorized access or viewing;

The implementation timeframes for changes needed within the Department of Health are very short. The effective date for specific parts of HIPAA is:

• Privacy - April 16, 2003
• Transactions and Code Sets - October 16, 2003
• Identifiers - Dates vary depending upon type of identifier
• Security - No implementation date has been established (however, some security changes will  be required to implement the privacy rules)

ARE THERE PENALTIES FOR FAILURE TO COMPLY WITH RULES?

The Department AND individual employees can be penalized for failure to comply with HIPAA rules.

Individual persons can incur penalties as a result of the wrongful disclosure of individually identifiable health data. The penalties include:

• General Penalty for Failure to Comply with Transactions and Code Sets are:
  • $100 for each violation;
  • $25,000 maximum penalty for all violations of an identifiable requirement.
• Wrongful disclosure of Individually Identifiable Health Information could result in the following penalties:
  • $50,000, imprisonment of not more than one year or both for a wrongful disclosure offense;
  • $100,000, imprisonment of not more than five years, or both for offense under false pretenses;
  • $250,000, imprisonment of not more than ten years, or both for an offense with intent to sell information.

Each employee will be trained prior to the effective date of the Privacy Rule. Until then, you can become familiar with HIPAA by accessing HIPAA related links from the Department's web page or other internet sites. You can also incorporate some basic business practices into your currently daily routine that will help with the implementation of the HIPAA rules. These include:

• Take notice of who is standing or sitting near you when you need to disclose health data over the phone. If those persons should not hear the information, move to a more private location.
• Verify the identity of the person on the phone before releasing healthcare data over the phone;
• Verify the identity of the person to whom you are faxing information. Ensure the fax can be received in a location that limits unauthorized access to the information;
• Conduct phone conversations or in-persons discussions with patients in areas where conversations cannot be easily overheard;
• Begin to question the level of data and reasons persons or entities need to receive health information. You may be able to remove individual identifying information from the reports or response.
• Before releasing healthcare data to others, ensure the person or entity has the right to receive the data. Ensure proper consent forms or authorizations have been received;
• Re-position your computer monitor if the screen can be seen by persons who do not have a need to view the specific health data;
• Implement password, timeout processes, and screen savers on your personal computers to prevent unauthorized access to data systems or data maintained on your computer;
• Develop work habits to return medical records or health data to secure areas at the end of the day such as locking file cabinets, lockable records rooms, locked desk;
• Only access data that you have a legitimate need to view; and
• Begin to document your duties and the types of data that you will need access to perform your job well. This data can then be used to document your role in the office and your need for data.

Check the Department's web page to view any HIPAA related information or access links to internet sites that can provide more information. Some of the HIPAA links include the following:

• Centers for Medicare and Medicaid Services
• Center for Medicare and Medicaid Services - Questions and Answers
• Office of Assistant Secretary for Planning and Evaluation - Administration Simplification Act
• Office of Civil Rights - View Privacy Rule, questions and answers
• Washington Press Corporation - Implementation Guides for Standard Transactions and information about Code Sets