News

Resources

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

If you work in the behavioral health service sector, it's likely that you've heard of HIPAA. You may not know what it stands for, or what it's supposed to do, but you've probably heard of it. That's good, because HIPAA is here, now, and it affects every one of the Coalition's members.

HIPAA Business Associate Changes in ARRA

The Health Information Technology for Economic and Clinical Health Act (HITECH) provisions of ARRA in Title XIII include important changes in Privacy (Subtitle D).  Changes related to business Associates under HOPAA Administrative Simplification are specified in Section 13401: Application of Security Provisions and Penalties to Business Associates of Covered Entities. 

Application of Security Provisions - Sections 164.308, 164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations,

New Regulation for HIPAA Business Associate December 15, 2009

HITECH Raises the Stakes on HIPAA Compliance

Proposed Rulemaking to Implement HITECH Act Modifications July 14, 2010.  HHS issued a notice of proposed rulemaking to modify the HIPAA Privacy, Security, and Enforcement Rules. 

HIPAA National Provider Identifier

NYS Medicaid requires NPI on all non-claim transactions effective October 1, 2009
Dear Provider Letter

Breach Notification Rule

The U.S. Department of Health and Human Services issued new regulations requiring entities covered by the Health Insurance Portability and Accountability Act (HIPAA) to notify individuals after their unsecured health information has been breached. Under the regulations, health care providers, health plans, and other entities covered by HIPAA must promptly notify any individuals affected by a breach. If the breach affects more than 500 people, the Secretary of Health and Human Services and the media must also be notified. Breaches involving fewer than 500 must also be reported to the secretary annually. The regulations also affect business associates of covered entities.

Breach Notification Final Rule Update - 7/28/10

45 CFR Parts 160and 164 - Breach Notification for Unsecured Protected Health Information; Interim Final Rule

CMS Information on Breach Notification Rule

HIPAA Security Rule

• Guidance on Risk Analysis Requirements Under the HIPAA Security Rule (July 12, 2010)
• The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.  
• View the combined regulation text of all HIPAA Administrative Simplification Regulations found at 45 CFR 160, 162, and 164.
• Security Rule Guidance Materials

HIPAA Enforcement Rule

The HIPAA Enforcement Rule contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings.  The HIPAA Enforcement Rule is codified at 45 CFR Part 160, Subparts C, D, and E.

HITECH Act Enforcement Interim Final Rule - October 29, 2009

HIPAA Enforcement Rule - Final Rule February 16, 2006

HIPAA Enforcement Activities

Learn more about HIPAA:

• CMS security guidance on remote access of EHR (January 2007)
• Analysis of the final HIPAA Security Rule
• Final Amendment to the HIPAA Privacy Rule (August 2002)
• NY State OMH HIPAA Rule Preemption Analysis

• HIPAA Privacy Rule Q&A with Robert Belfort of Manatt, Phelps and Phillips, LLP (4/29/03)
• Recent HHS Guidance on the Treatment of Flexible Spending Accounts under HIPAA (5/9/03)
• Application of HIPAA to Fully Insured Employer-Sponsored Health Plans (3/12/03)

• HIPAA Education Seminar Presentation: Transactions and Code Sets (PowerPoint slides from a presentation on 4/30/02)
• HIPAA Education Seminar Presentation: Privacy and Business Associate Relationships (PowerPoint slides from a presentation on 5/31/02)

• A general fact sheet on HIPAA from the Department of Health and Human Services: http://www.hhs.gov/news/press/2002pres/hipaa.html
• The Centers for Medicare & Medicaid Services' main HIPAA webpage: http://www.cms.hhs.gov/hipaa/
• The New York State Office of Mental Health's HIPAA page: http://www.omh.state.ny.us/omhweb/hipaa/hipaa_home.htm
• The New York State Medicaid program's HIPAA Information Center: http://www.health.state.ny.us/nysdoh/medicaid/hipaa/hipaamain.htm
• The Office for Civil Rights (OCR) is HHS's departmental component responsible for implementing and enforcing HIPAA's privacy regulations. Their main webpage: http://www.hhs.gov/ocr/hipaa/whatsnew.html
• If you applied for the delay to the Transactions and Code Sets Rule in October 2002, you will need to begin testing your electronic transactions by April 16th, 2003. A well known testing and certification service called Claredi has published a fact sheet on this requirement: http://www.npowerny.org/testing--claredi.pdf
• Two good sources of news relating to HIPAA are: http://www.hipaadvisory.com/news/ and http://www.healthdatamanagement.com/html/hipaa/HIPAA.cfm

Do you need help determining if you are a Covered Entity? CMS has put up a page help you figure it out: http://www.cms.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp

Are you a Coalition member looking for further information on HIPAA? Contact Karyn Krampitz.