What on Earth is HIPAA Title II?
HIPAA stands for the Health Insurance Portability and Accountability Act. This piece of legislation is aimed at simplifying and standardizing health insurance transfer and coverage for Americans. It is a huge document and therefore somewhat difficult to understand.
When you come into our office, you are asked to sign a notice indicating that you are aware that we comply with HIPAA standards. The specifics of HIPAA are available for review in our office, but the text can be difficult to wade through. So in the spirit of transparency, we’ve taken a minute to simply the portion of HIPAA most relevant to our patients. In this post, we are going to discuss Title II of HIPAA.
HIPAA’s Title II was designed to “standardize the processing of electronic healthcare transactions nation-wide.” It requires healthcare providers to “implement safe electronic access to the patients’ health data [while] remaining in compliance with the privacy regulations which were set by the HHS” (e-visit.com).
The first sub-point within Title II is known as the Privacy Rule, which covers Protected Health Information (PHI) — how it can and cannot be used and shared. If you have ever called your doctor’s office looking to have records shared with another physician or a copy sent to you, you are likely familiar with one particular hoop through which many practices make you jump: the Medical Records Release.
In order to remain HIPAA-compliant, many medical practices have a medical records release form which they require you to fill out before they will send any of your records. With this form, the practice can ensure that they are sending the records to the right provider or individual. The last thing any of us would want is for your medical records to fall into the wrong hands.
Some small practices do not use such a form, rather relying on their patients to give verbal consent to send the records. What is most important is that you feel secure. Do not hesitate to ask us to print a copy of our Medical Records Release form for you to fill out and send to your primary care physician or another specialist.
The Privacy Rule protects patients against having their information shared against their will or without their knowledge, and breaking the Rule could cost a practice up to $250,000. Visit this website to contact the U.S. Department of Health and Human Services if you feel that your health care provider has used your information inappropriately.
To be clear, the Privacy Rule protects against intentional and incidental disclosures of your information, although exceptions to the Rule exist for a few select examples. For example, the Rule does not punish providers for incidentally exposing a patient’s contact information when another patient signs a sign-in sheet at the front desk.
Another Rule to note is the Transactions and Code Sets Rule. This section of Title II standardizes the methods providers use to process records requests and transfer said records between practices. The purpose of the rule is to prevent abuse and fraud, and it is as helpful to providers as to patients.
The next section of Title II to note is called the Security Rule. This Rule is especially pertinent in the modern era of Electronic Medical Record (EMR) system and the like. Countless practices now rely entirely on an EMR for their record keeping. The Rule also covers security requirements for visitors, record encryption, and written record authorization policies, among others.
The next Rule is called the Unique Identifiers Rule. It requires that HIPAA compliant healthcare providers each have a National Provider Identifier number, which is a unique number from the provider’s other identifiers (DEA, tax ID, etc) and can be used to identify the provider in the HHS system.
The final Rule is far from the least of the bunch, as it outlines the enforcement of these rules, including fines for providers who are found to be operating out of compliance with HIPAA. This Rule standardizes the processes of investigation, penalty, and hearing for practices accused of misconduct.
The goal of HIPAA is to protect you, the patient, and to keep healthcare providers and insurance companies accountable. It is our hope that this blog has helped to clear up some confusion surrounding the HIPAA notification we ask you to sign at your new patient appointment. And we encourage you to do more research on your rights under HIPAA.
To read about HIPAA Title II in greater detail, please visit https://eligible.com/community/hipaa-title-ii/. And to learn more about HIPAA’s other Titles or file a complaint, please visit the U.S. Department of Health and Human Services.
Until next time, be well and stay healthy!