Health Insurance Portability & Accountability Act of 1996
The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996. HIPAA does the following:
- Provides the ability to transfer and continue health insurance coverage for millions of American workers and their families when they change or lose their jobs;
- Reduces health care fraud and abuse;
- Mandates industry-wide standards for health care information on electronic billing and other processes; and
- Requires the protection and confidential handling of protected health information
The Privacy Rule
The HIPAA Privacy Rule provides federal protections for individually identifiable health information held by covered entities and their business associates and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of health information needed for patient care and other important purposes.
The Security Rule specifies a series of administrative, physical, and technical safeguards for covered entities and their business associates to use to assure the confidentiality, integrity, and availability of electronic protected health information.
Individuals, organizations, and agencies that meet the definition of a covered entity under HIPAA must comply with the Rules' requirements to protect the privacy and security of health information and must provide individuals with certain rights with respect to their health information. If a covered entity engages a business associate to help it carry out its health care activities and functions, the covered entity must have a written business associate contract or other arrangement with the business associate that establishes specifically what the business associate has been engaged to do and requires the business associate to comply with the Rules’ requirements to protect the privacy and security of protected health information. In addition to these contractual obligations, business associates are directly liable for compliance with certain provisions of the HIPAA Rules.
If an entity does not meet the definition of a covered entity or business associate, it does not have to comply with the HIPAA Rules. See definitions of “business associate” and “covered entity” at 45 CFR 160.103.
Information Technology & HITECH
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act of 2009, was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.
The term "covered entity" under the HIPAA Privacy Rule refers to three specific groups, including health plans, health care clearinghouses, and health care providers that transmit health information electronically. Covered entities under the HIPAA Privacy Rule must comply with the Rule's requirements for safeguarding the privacy of protected health information.
CMS.gov: Are You A Covered Entity?
CMS.gov: Covered Entity Charts
HRSA.gov: What Is A Covered Entity?
HHS.gov: Fast Facts for Covered Entities
Venable LLP: What Your Nonprofit Needs to Do about HIPAA – Now
ProBonoPartner.org: HIPAA Primer for Nonprofit Social Service Agencies
SafeGov.org: HIPAA-HITECH Regulation, the Cloud, and Beyond
SGRLaw.com: HIPAA. It's Not Just for Doctors Anymore
The Angeletti Group: Fundraising Under New HIPAA Regulations
CMS.Gov: Full Text of the Bill
The Nonprofit Times Patient Information September 15, 2010