These rules apply to "covered entities" as defined by HIPAA and the HHS. Covered entities include health plans, health care clearinghouses, such as billing services and community health information systems, and health care providers that transmit health care data in a way that is regulated by HIPAA [10] [11].
Per the requirements of Title II, the HHS has promulgated five rules regarding Administrative Simplification: the Privacy Rule, the Transactions and Code Sets Rule, the Security Rule, the Unique Identifiers Rule, and the Enforcement Rule.
The Privacy Rule
The Privacy Rule took effect April 14, 2003, with a one-year extension for certain "small plans". It establishes regulations for the use and disclosure of Protected Health Information (PHI). PHI is any information about health status, provision of health care, or payment for health care that can be linked to an individual[12]. This is interpreted rather broadly and includes any part of a patient's medical record or payment history.
Covered entities must disclose PHI to the individual within 30 days upon request[13]. They also must disclose PHI when required to do so by law, such as reporting suspected child abuse to state child welfare agencies[14].
A covered entity may disclose PHI to facilitate treatment, payment, or health care operations[15] or if the covered entity has obtained authorization from the individual[16]. However, when a covered entity discloses any PHI, it must make a reasonable effort to disclose only the minimum necessary information required to achieve its purpose[17].
The Privacy Rule gives individuals the right to request that a covered entity correct any inaccurate PHI[18]. It also requires covered entities to take reasonable steps to ensure the confidentiality of communications with individuals[19]. For instance, an individual can ask to be called at his or her work number, instead of home or cell phone number.
The Privacy Rule requires covered entities to notify individuals of uses of their PHI. Covered entities must also keep track of disclosures of PHI and document privacy policies and procedures[20]. They must appoint a Privacy Official and a contact person[21]responsible for receiving complaints and train all members of their workforce in procedures regarding PHI[22].
An individual who believes that the Privacy Rule is not being upheld can file a complaint with the Department of Health and Human Services Office for Civil Rights (OCR) [23][24].
The Transactions and Code Sets Rule
The HIPAA/EDI provision was scheduled to take effect October 16, 2003 with a one-year extension for certain "small plans"; however, due to widespread confusion and difficulty in implementing the rule, CMS granted a one-year extension to all parties. As of October 16, 2004, full implementation was not achieved and CMS began an open-ended "contingency period." Penalties for non-compliance were not levied; however, all parties are expected to make a "good-faith effort" to come into compliance.
CMS announced that the Medicare contingency period ended July 1, 2005. After July 1, most medical providers that file electronically will have to file their electronic claims using the HIPAA standards in order to be paid. There are exceptions for doctors that meet certain criteria.
