HIPAA laws protect many things – from the rights of individuals to carry health insurance coverage between jobs to the integrity of the Medicare program. However, the HIPAA laws are best known for protecting the privacy of individually identifiable health information maintained by health plans and qualifying health care providers.
Strictly speaking, the content of the Health Insurance Portability and Accountability Act did not create any new HIPAA laws. Rather, it amended existing laws such as the Employee Retirement Income Security Act (ERISA) and Social Security Act to facilitate the portability and continuity of health insurance coverage between jobs.
Because of concerns that the cost to health plans of portability and continuity would be passed to employers and plan members in the form of higher premiums, Congress added measures to reduce health plan costs. These measures appear in Title II of HIPAA in the forms of a Fraud and Abuse Control Program, a Medicare Integrity program, and Administrative Simplification requirements.
How HIPAA Laws Protect against Fraud and Abuse
During the preparation of HIPAA, a report to Congress revealed that “as much as 10 percent of total health care costs are lost to fraudulent or abusive practices by unscrupulous health care providers” and that “only a small fraction of the abuse and fraud […] is identified and dealt with”. At the time, healthcare spending in the United States was calculated to be $988.5 billion.
To protect health plans against fraud and abuse, Congress introduced a Fraud and Abuse Control Program and a Medicare Integrity Program. The programs allocated tens of millions of dollars to the FBI to fund investigations and prosecutions for fraud, and the penalties for being found guilty of fraud were increased substantially to include exclusion from Medicare and state health plans.
The Administrative Simplification Requirements
To support the HIPAA laws protecting against fraud and abuse, Congress instructed the Secretary for Health and Human Services to develop standards for transactions between health plans and health care providers. These standards were intended not only to save costs by increasing the efficiency of eligibility, authorization, and claims processes, but also make it easier to detect fraud and abuse.
As transactions were increasingly being conducted electronically, the Secretary for Health and Human Services was also instructed to develop security standards for health information and make recommendations for the privacy of health information. These instructions resulted in the publication of the Administrative Requirements, the Security Rule, and the Privacy Rule.
How the Privacy Rule Protects the Privacy of Health Information
Of the three sets of standards that were originally published (the Breach Notification standards followed in 2009), the Privacy Rule is the one responsible for protecting the privacy of individually identifiable health information. (Of note, the Department for Health and Human Services states “the Security Rule protects a subset of information covered by the Privacy Rule”).
The Privacy Rule protects the privacy of health information by stipulating permissible uses and disclosures of “Protected Health Information” and requiring all other uses and disclosures to be authorized by the subject of the information. Individuals are also given the right to request an Accounting of Disclosures to ensure health information is only used or disclosed as permitted.
Who do the HIPAA Laws Apply To?
This depends on which of the HIPAA laws is being referred to. The majority of the amendments to ERISA apply to health plans and employers, while many of the amendments to the Social Security Act can apply to health plans, employers, health care providers, schools, and/or public health authorities depending on the circumstances.
With regards to the Administrative Requirements, Privacy Rule, and Security Rule, these can apply to health plans and health care providers, and to any third-party Business Associates that perform a covered transaction (as defined in 45 CFR Part 162) or that create, receive, maintain, or transmit Protected Health Information for or on behalf of a health plan or health care provider.