The Domain hipaa-attorneys.com is for sale. For more information, please click here!

Wachler & Associates, PC | Serving healthcare providers nationwide for over 20 years

 

Home
Firm Overview
Practice Areas
Stark
HIPAA
Specialty Pages
Attorney Profiles
Publications
Newsletters
Seminars
Research Links
Latest News
Office Directions
Contact Us

 

 

The Health Lawyers: We Focus on the BUSINESS of Healthcare

HIPAA-ATTORNEYS.COM

HIPAA information website provided by Wachler & Associates, P.C.


Welcome
Publications
HIPAA Frequently Asked Questions ("FAQs")
Practical Issues
Helpful Links
Latest News
Speaking Engagements
Wachler & Associates, P.C. Home Page


At Wachler & Associates, P.C., we pride ourselves on keeping up to date with the most current developments in health care law. The regulations implementing the Health Insurance Portability and Accountability Act (HIPAA) are one such development.

Our firm writes and speaks regarding HIPAA issues on a national level. We were asked to analyze the HIPAA final privacy rule, the final electronic transaction rule, and the final security rule for The Health Lawyer, a publication of the American Bar Association which is distributed to over 9,000 health care and business attorneys across the nation.

This website contains a compilation of our publications, helpful links, updates, and practical issues related to compliance with the HIPAA regulations.

Our firm has also developed a Workbook/Toolkit and Training Video to help health care providers comply with the Privacy Rule, to order a copy of the Workbook/Toolkit or the Training Video, please click on the following link:  Order form

Publications

For publications on other healthcare law topics, please visit Wachler & Associates, P.C.'s Publications page.

Back to Top

HIPAA FAQs

What is HIPAA?

HIPAA is a legislative act which was passed in 1996. Among other topics, HIPAA addresses the electronic standardization, security, and privacy of health information.

Who must comply with HIPAA?

These rules generally apply to all health care plans, health care providers who transmit health care information in electronic form (using a standard transaction), and healthcare clearinghouses (including billing companies). These groups are referred to in the regulations as "covered entities."

What were the compliance deadlines for HIPAA?

For most covered entities, the compliance date for the electronic standard transactions rule was October 16, 2002 and the compliance date for the privacy rule was April 14, 2003 (small health plans are given an additional year to comply).

Please note that, pursuant to H.B. 3323, the deadline for compliance with the Electronic Standard Transactions rule has been extended to October 16, 2003 for those entities submitting an adequate compliance plan.

The compliance deadline for the Security Rule was April 21, 2005.

What kind of information is protected by HIPAA?

"Protected health information" is defined by the Privacy Rules as "individually identifiable health information" that is transmitted electronically, maintained electronically, or transmitted or maintained in any other form or medium. It includes not only paper and electronic records but oral statements as well.

The Security Rule governs "electronic protected health information," and requires covered entities to ensure the confidentiality, integrity, and availability of all protected health information that is created, received, maintained or transmitted by the covered entity in electronic form.

What rights do individuals have under HIPAA?

In general, the HIPAA Privacy Rule gives individuals the right to request a restriction on uses and disclosures of their protected health information. The individual is also provided the right to request confidential communications or that a communication of protected health information be made by alternative means, such as sending correspondence to the individual's office instead of the individual's home.

With limited exceptions, individuals also have the right to inspect and obtain a copy of their own protected health information and to request amendments of their protected health information.

What do health care providers and other "covered entities" need to do in order to comply with the  HIPAA Privacy Rule?

Examples of the issues that covered entities will need to address in order to comply with the Privacy Rule are: appointment of a privacy officer and contact person to receive complaints, development of consent, notice and authorization forms for patients, development of numerous required privacy policies and procedures, drafting of agreements with all business associates, and training of staff on privacy issues.

What does the HIPAA electronic standard transactions rule require?

The rule requires providers and other covered entities to adopt standards for nine transactions. Of primary concern to providers is the requirement that health care claims be submitted in standard format to all third party payors.

What does the HIPAA security rule require?

The rule requires covered entities to implement administrative procedures, physical safeguards, and technical security services to guard the integrity, confidentiality, and availability of patient data. The rule also requires covered entities to implement technical security mechanisms to prevent unauthorized access to patient data.

*This information is set forth for informational purposes only. It is not intended to be legal advice nor should it be interpreted as such.

Back to Top

Practical Issues*

Privacy Rule - Are you HIPAA compliant?

The deadline for compliance with the HIPAA Privacy Rule was April 14, 2003. Some of the things you should be doing at this point include:

  • Providing all patients with a Notice of Privacy Practices that contains all of the elements required by the Privacy Rule.
  • Posting your Notice of Privacy Practices in a prominent location and on your website.
  • Following written policies and procedures that are compliant with the HIPAA Privacy Rule when patients seek to exercise rights under HIPAA.
  • Obtaining authorization from the patients in a form that is compliant with HIPAA for all uses and disclosures that are not related to treatment, payment, or healthcare operations, or subject to one of the designated exceptions.
  • Entering into business associate agreements with individuals or entities who provide services on your behalf, involving the use of protected health information.
  • Establishing a system for patient complaints.

Compliance with the Security Rule - where to begin?

In the final Security Rule, published on February 20, 2003, the Department of Health and Human Services ("DHHS") attempted to adopt a scalable and flexible approach to take into consideration the various sizes of organizations affected by the rule.

Because of the flexibility and scalability incorporated into the final Security Rule, covered entities should be cautious when dealing with vendors who market certain products as "required" by the Security Rule. The requirements will vary depending on each covered entity's situation, as identified by the covered entity's "risk analysis". Covered entities may want to consult with health care attorneys versed in the Security Rule requirements before making any major purchases.

The core structure of the Security Rule consists of eighteen standards, which are broken down into three basic categories: administrative safeguards, physical safeguards, and technical safeguards. Each standard also has certain "implementation specifications" that serve as the "instructions" for compliance. Thirteen of the implementation specifications are required, while the remaining specifications are "addressable".

If an implementation specification is required, the organizations must implement the specification as set forth in the Rule. For those specifications that are "addressable", the organization may implement an alternative specification instead of, or in combination with, the specification set forth in the Rule. If an alternative approach is taken, the covered entity must document its decision not to implement the Security Rule's specification, the rationale behind the decision, and the alternative approach that it has chosen.

In determining which specific technologies and security measures must be taken in order to meet the standards, an organization is permitted to take into account: its size, complexity, and capabilities; the costs of security measures; and the probability and criticality of potential risks to electronic protected health information.

In some situations, the covered entity may also decide that the implementation specification is inapplicable to its situation and that the standard may be met without the specification or an alternative. In these situations, the covered entity must document its decision not to implement the specification, the rationale behind that decision, and the manner in which the standard is being met.

The key to making appropriate determinations regarding the specific technologies and security measures to be implemented within any given organization is to conduct and document a thorough "risk analysis" of the organization. The risk analysis is one of the required implementation specifications of the security management process standard, which is considered by DHHS to be the foundation for the Security Rule.

In conducting a "risk analysis", covered entities must identify the risks and vulnerabilities of its electronic protected health information. This will require covered entities to take into account all "relevant losses" that would be expected if security measures were not in place, including losses that would be caused by unauthorized uses and disclosures and loss of data integrity.

In order to conduct a thorough and useful risk analysis, covered entities - regardless of size - should, at a minimum , do the following:

  1. Identify all systems that house electronic protected health information or are used to transmit electronic protected health information (for example, include data repositories, electronic medical record systems, and e-mail systems that are used to maintain or transmit electronic protected health information).
  2. Identify any known or possible threats to the information, including natural and human threats and determine the probablility of each of these threats (for example, include natural disasters such as floods, environmental threats such as water pipe breaks or electrical fires, and human threats such as disgruntled employees or hackers).
  3. Determine how vulnerable each system is to each identifiable threat, including any known or anticipated weaknesses of the system (for example, look at any past problems with the system that involved security breaches or loss of data, as well as any future potential problems that have been identified by IT personnel or vendors).
  4. Identify the impact that the loss of information or the unauthorized use or disclosure of information would have on the organization (for example, how would daily functions of the organization and patient privacy be impacted by a loss of data or unauthorized access to the data).

Once the risk analysis has been complete, the organization will be in a better position to analyze which of the "addressable" specifications must be implemented and the specific technologies that will be required, taking into account the identified risks and vulnerabilities, as well as such factors as the size and resources of the covered entity.


*This information is set forth for informational purposes only. It is not intended to be legal advice nor should it be interpreted as such.

Back to Top

Helpful Links:

Department of Health and Human Services Administrative Simplification Site: Provides links to text of the HIPAA statute, privacy and electronic transaction rules, the proposed security rule, instructions for subscribing to the HIPAA regulatory website, and links to other HIPAA related sites.
http://aspe.hhs.gov/admnsimp/

Department of Health and Human Services, Office for Civil Rights: The Office for Civil Rights is charged with enforcing the civil penalties under HIPAA.  The OCR HIPAA Page provides links to the final security rule and frequently asked questions.
http://www.cms.hhs.gov/hipaa/hipaa2

Latest News:

On April 17, 2003, HHS published the interim final rule for enforcement of the HIPAA Privacy Rule. The Rule can be accessed by clicking on the following link:  Federal Register (Text)

On February 20, 2003, HHS published final security and electronic standard transaction rules.  These rules can be accessed by clicking on the following link:  Federal Register (HTML)

On August 14, 2002 final privacy rules were published in the Federal Register, incorporating most of the modifications from the March 27, 2002 proposed modifications.  To access the Federal Register text click here:   Federal Register (text)

Back to Top

Past Speaking Engagements :

  • December 4-5, 2003: Andrew Wachler presented on HIPAA for United Communications Group in Las Vegas, NV.
  • May 5, 2004: the firm presented a HIPAA Security seminar to the Federated Ambulatory Surgery Association (FASA).
  • October 1-3, 2003: Abby Pendleton presented a conference on HIPAA to the United Communication Group in Washington D.C.
  • June 13, 2003: Mr. Wachler presented on HIPAA Privacy Liability Issues & Security to the ABA/AMA Physician Law Conference in Chicago.
  • April 11, 2003: Ms. Fehn presented on "Communicating with Patients With HIPAA in Mind" for United Communications Group in Boston.
  • May 2003: Mr. Wachler and Ms. Pendleton presented a HIPAA implementation workshop for the Federated Ambulatory Surgery Association (FASA) in Boston.
  • May 2003: Ms. Pendleton presented on HIPAA at the AAA section of the Medical Group Management Association in Montreal.
  • July 24, 2002: Ms. Pendleton and Ms. Fehn presented a HIPAA Seminar for the American Orthotic and Prosthetic Association (AOPA) in Las Vegas.
  • July 18-19, 2002: Mr. Wachler, Ms. Pendleton and Ms. Fehn presented a two day seminar/workshop on HIPAA for the Federated Ambulatory Surgery Association (FASA) in Chicago.
  • May/June 2002: Mr. Wachler, Ms. Pendleton and Ms. Fehn presented nine seminars throughout the state of Michigan on HIPAA compliance.
  • June 28, 2002: Mr. Wachler, Ms. Pendleton and Ms. Fehn presented a HIPAA seminar to the Michigan Orthotic and Prosthetic Association. 
  • May 4, 2002: Ms. Pendleton and Ms. Fehn presented a HIPAA seminar to the American Orthotics and Prosthetics Association in Boston.
  • April 24-25, 2002: Ms. Pendleton presented on HIPAA at United Communication Group's Pain Conference in Washington, D.C.  This Pain Conference will also be held on October 7-9, 2002 in Chicago.
  • April 6-7: Mr. Wachler presented on HIPAA to the American Gastroenterological Association in Philadelphia.
  • February 26, 2002: Mr. Wachler presented on HIPAA to the Federated Ambulatory Surgery Association (FASA) in Washington, D.C.
  • February 12, 2002: Wachler & Associates, P.C. and Miriam Paramore of Paramore Consulting, Inc. and Lorman Education Services presented a full-day seminar on HIPAA readiness and practical compliance in Troy, Michigan.
  • January 30 - February 1, 2002: Mr. Wachler and Ms. Pendleton presented at United Communication Group's Pain Conference in Arizona on compliance and HIPAA for the pain management physician.
  • On December 7, 2001: presented an all-day seminar entitled "HIPAA - Administrative Simplification: A Practical Approach" in Lansing, Michigan.
  • December 3-5, 2001: Mr. Wachler spoke on HIPAA, Stark and other regulatory concerns at the 16th Annual Management and Leadership Conference sponsored by the National Hospice and Palliative Care Organization in Washington D.C.
  • November 17, 2001: Mr. Wachler presented on HIPAA at the Michigan Osteopathic Association's "HIPAA Update and Educational Seminar" in Lansing, Michigan.
  • On November 9, 2001: Mr. Wachler presented on HIPAA and Stark at a seminar for the Radiology Business Management Association, Michigan Chapter, in Lansing, Michigan.
  • August 22, 2001 - Okemos, MI: Mr. Wachler and Ms. Pendleton jointly conducted a workshop on the recent Health Insurance Portability and Accountability Act (HIPAA) regulations to the durable medical equipment (DME) members of the Michigan Home Health Association.
  • April, 2001: Ms. Pendleton spoke on the HIPAA privacy rule during a lunchtime presentation at a pain management conference sponsored by United Communications Group (publisher of the Anesthesia Answer Book, Part B News, Fraud and Abuse Answer Book, Medicare Compliance Alert, etc.).
  • March 6, 2001 (Lansing, MI) and March 7, 2001 (Southfield, MI): Presented a seminar through Lorman Education Services entitled "Medicare, Medicaid and Other Payors: Enforcement and Compliance in Michigan" which included a presentation on HIPAA. This seminar was conducted with members of our firm along with an Assistant U.S. Attorney from the Western District of Michigan as well as representatives from Blue Cross Blue Shield of Michigan and Wisconsin Physician Service, the Medicare Carrier for Michigan.