HIPAA, Health Insurance Portability and Accountability Act of 1996, is a Federal law that was written to address a long list of health care related issues. In this guide, we will address two aspects of HIPAA, Title I and II. Title I provides protection for plan members when they switch from one group plan to another or lose their job. Title II calls for national standards of how healthcare is transmitted.

Title I

Title one addresses the requirements for how members covered under group, and some individual health plans, should be protected.

HIPAA states that:

  •  A health plan cannot deny you because of your health.
  •  Pre-existing condition waiting periods must be limited.
  •  For some employees and individuals, HIPAA guarantees the renewal and availability of health coverage.
  •  Pregnancy cannot be considered a pre-existing condition.
  •  You cannot be denied coverage for mental illness, a genetic flaw, a disability or because of your past claims history.

One of the key features was that HIPAA allows you to get "credit" for the time you have been insured under a previous health plan and allows you to use this credit with your new health plan, as long as the coverage is considered credible.

Credible coverage means coverage under a government or church plan, group or individual health plan, Medicare, Medicaid and Champus, Indian Health Service, state high risk pools, or coverage for federal employees.

For example

You have worked for ABC Company for 3 years and you decide to go to work for XYZ Company. Provided that you have no lapse in coverage of more than 63 days, you cannot be subject to a pre-existing period. The new employer is required to honor any time that you were insured under a prior plan.

Title II

Title two addresses the need to standardize the way healthcare data is transmitted and the protection of a patient’s health information, including privacy and security.

So what is Protected Health Information (PHI)?

PHI is:

Any and all information that you have or have access to about a person’s past, current or future medical conditions both physical or mental.

Any information that can be used to identify or link any type of treatment, services or diagnosis to a particular person including their name, address, date of birth, social security number, ID number, etc.

By all, it means ALL health care providers that deal with the insurance process themselves or that use an outside billing service. This requirement for the protection and security of all patient information applies to health insurance carriers, clearinghouses, and any and all healthcare providers that bill claims, verify benefits and eligibility, handle referrals and authorization requests, or any other healthcare related process or procedure. This includes all providers of healthcare services, including:

  • Hospitals
  • Physicians
  • Dentists
  • Clearinghouses when acting as a business associate to a provider of medical services.
  • Any other person or organization that provides a medical service, bills claims and is reimbursed for healthcare services.

Severe penalties are in place for any provider of service or business associate that fails to keep a person’s protected health information private and secure and who fails to notify when a breach of personal data has occurred.

What is a Business Associate?

Outside medical billing companies do not have direct access to patient’s information. All claims information is passed from the provider to the billing company. Medical billing companies that submit claims on a provider’s behalf may be asked to sign a Business Associate Agreement.  

A Business Associate Agreement is a legal document signed by the provider and billing company ensuring that everyone is clear on how this shared data should be protected and secured. The provider is entrusting a patient’s medical information to the billing company who, by signature, agrees to fully protect all patient data. With this agreement, the billing company understands the legal requirements for protected health information and is fully aware of the processes as well as the violations and requirements should any data be breached.

In a nutshell

Simply put, we are the keepers of Protected Health Information and we have a legal requirement and a personal obligation to keep ALL patient’s health information safe and secure.

This means that only those with a need to know should have access to a patient’s Protected Health Information.

Wanting to know, interested in and being curious about does not meet the standard of need to know. If someone is not directly related to the billing process, then they should have ZERO access to a patient’s health information.

Sources: www.hbma.org/www.wikipedia.org/www.hhs.gov

Back to Chapter One

Next to Chapter Two