Health Insurance Portability and Accountability Act

Title II of the HIPAA contains standards and rules to ensure that individual healthcare information is not shared without consent or knowledge of the individual. This Title contains five sections that ensure these standards are met.

Let’s take a look at them here.

1. The National Provider Identifier Standard requires that every healthcare entity (meaning individuals, employers, health plans, healthcare providers, etc.) must have a ten-digit National Provider Identifier (NPI) number. This ensures organization and accountability.
2. The Transactions and Code Set Standard requires healthcare organizations to follow a standardized routine for Electronic Data Interchange (EDI). This pertains to the submission and processing of insurance claims and again ensures organization and accountability.
3. The HIPAA Privacy Rule is also referred to as the Standards for Privacy of Individually Identifiable Health Information. This is one of the most important sections of the HIPAA for consumers to understand since it directly pertains to the protection of their healthcare information. Under this section, covered entities are given standards to ensure that the disclosure of individual healthcare information is handled in an ethical manner.

Covered entities include healthcare providers, health plans such as (but not limited to) and HMO or Medicaid, healthcare clearinghouses that process information between other entities, and business associates.

The only health insurance plan that does not qualify as a covered entity is one with less than 50 participants, managed solely by an employer who maintains they are not a covered entity.

A covered entity can only disclose individual healthcare information if:

• Said information is being disclosed directly to the individual it pertains to.
• Information is about treatment, payment, and healthcare operations.
• Individual is given due opportunity to agree or object to the disclosure of personal information.
• There was an incident to an otherwise permitted use and disclosure.
• It is a part of a limited data set for research, public health, or healthcare operations.
• It is one of the following twelve national priority purposes:

1. When required by law
2. Public health activities
3. Victims of abuse or neglect or domestic violence
4. Health oversight activities
5. Judicial and administrative proceedings
6. Law enforcement
7. Functions (such as identification) concerning deceased persons
8. Cadaveric organ, eye, or tissue donation
9. Research, under certain conditions
10. To prevent or lessen a serious threat to health or safety
11. Essential government functions
12. Workers compensation

4. The HIPAA Security Rule sets the standards for patient data security with regards to electronic health information only, meaning that information transmitted orally or in writing is not covered. This is another crucially important section to understand. Covered entities must rely on professional ethics and good judgment to:

• Ensure the confidentiality, integrity, and availability of all electronic protected health information
• Detect and safeguard against anticipated threats to the security of the information
• Protect against anticipated impermissible uses or disclosures
• Certify compliance by their workforce

5. The final section of Title II is the HIPAA Enforcement Rule, which establishes guidelines for investigations into violations of the HIPAA.