HIPAA Overview for Small Healthcare Providers What is HIPAA? The Health Insurance Portability and Accountability Act of 1996 (HIPAA), also known as the Kennedy-Kassebaum Act, is a sweeping set of federal legislation and regulations created to improve the portability of an individual's healthcare coverage when changing jobs and to promote administrative simplification of health insurance. It will significantly impact the way you administer your practice. Title I of the law deals with improving health insurance access and portability when changing jobs and became effective in September 1996. Title I of HIPAA has helped over 3 million individuals avoid being impacted by pre-existing conditions when changing jobs. Title II of HIPAA deals with administrative functions in healthcare practices, including regulations which will greatly impact your practice: standardizing code sets and electronic transactions, establishing privacy and security standards, and standardizing identifiers for healthcare entities. Who Does HIPAA Affect? The easiest answer is that virtually all healthcare providers in the United States, regardless of size, are subject to HIPAA regulations. HIPAA applies to all healthcare providers who store or transmit electronic information, either directly or indirectly through a billing service, clearinghouse or other arrangement, to government or private payers, or to other healthcare providers. HIPAA arguably applies even to any healthcare provider that uses the telephone or a facsimile machine to transmit patient data.  Regardless, HIPAA's privacy standards represent the new standard of care regarding patient privacy. Additionally, the bulk of HIPAA's regulations reflect solid business practices as well. What Happens if I Don't Comply? HIPAA is the law. Non-compliance carries serious penalties, including: · $100 per occurrence, per client, up to $25,000 per standard per year for transaction and code set violations.  · $100 per incident, up to $25,000 per person, per year, per standard in civil penalties for privacy standard violations.  · Federal criminal penalties including: o Up to $50,000 and/or one year in prison for obtaining or disclosing protected health information o Up to $100,000 and/or up to five years in prison for obtaining protected health information under "false pretenses" o Up to $250,000 and/or up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm. Enforcement is expected to occur by patient and employee reporting to the Office of Civil Rights within the Department of Health and Human Services. Ignorance is expensive; even the civil penalties can add up quickly. A negligent practice with 1,000 patients could easily incur well over $500,000 in fines in under 12 months.  What Do I Have To Do To Comply? HIPAA includes three sections with which providers must comply: transactions, privacy and security. Compliance involves: · Conducting transactions in a certain way · Protecting patient privacy to new, uniform levels and providing patients access to their records · Ensuring security of physical and electronic patient records HIPAA was created to ensure uniformity in the application of transactional, privacy and security standards across the industry. It requires not only that you meet certain standards in these areas, but insists that you document your policies, procedures and how you continue to meet these standards for each individual. When Do I Have To Comply? HIPAA is already the law of the United States and is in effect today. However, the Department of Health and Human Services has granted a transition period, indicating that enforcement will begin as follows: · Transactions - October 16, 2002. A one-year extension is available, but you must apply by October 16, 2002 to receive it, otherwise enforcement begins on the original compliance date. · Privacy - April 14, 2003 · Security - To be determined once final regulations are issued later this year. What Do I Do Next? The HIPAA regulations cover over 1,500 pages and, even then, do not provide a roadmap to compliance. Those interested in setting up a compliance plan and all of the policies, procedures, job descriptions, forms, and everything else for HIPAA compliance on their own face well over 2,000 hours of work and thousands of dollars in cost.  Thankfully, an easy solution is available. Built just for providers like you, HIPAANow! Toolkit provides training, a comprehensive Guide and Workbook and customer service to give you all the tools you need to make your practice HIPAA compliant. It will still involve a commitment of time and a change in policies and procedures, but the HIPAANow! Toolkit makes HIPAA compliance "easy as A-B-C." Small providers have an advantage in HIPAA compliance - but they still need to go through the right steps. WHAT YOU NEED TO KNOW ABOUT HIPAA What is HIPAA? In 1996 Congress passed the Health Insurance Portability and Accountability Act (HIPAA). It requires all healthcare providers to conform to a complex set of privacy, security, and electronic transaction standards. These standards are designed to help your practice achieve cost savings in communicating information electronically, as well as setting policies and standards to insure the privacy and security of patient information.  Does It Apply To You? Yes. HIPAA applies to virtually all healthcare providers and all types of information disclosures; verbal, written, or electronic. The first deadline for compliance is October 16, 2002, and failure to comply can result in significant fines (up to $250,000) and even jail time (up to 10 years). How Do You Start Preparing for HIPAA? First, ask yourself the following 5 questions: · Do you know all of the areas where patient information flows into and out of your office? · Do you have a privacy policy posted in a public place where patients can read it? · Do you have a person dedicated to overseeing your policies and procedures to protect the privacy of patient information? · Do you provide training for staff on your policies and procedures related to the privacy and security of patient information? · Have you defined and documented which of your staff has access to patient information? If you answered "No" to any of these questions you would be in violation of the HIPAA standards.  Second, start preparing today! You should begin your HIPAA readiness preparations immediately. The entire process of readiness, planning, and implementation will take 6-8 months. HIPAA standards make good business sense, and provide opportunities for you to reduce costs and increase efficiencies in your internal communications and processes. Delaying your efforts will also expose you to the unnecessary risk of non-compliance and the penalties that come with it.