The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and its administration simplification provisions established rules and regulations around the standards and requirements for transmitting certain health information to improve the efficiency and effectiveness of the health care system while protecting patient privacy.
1) Applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically.
2) The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. This information is referred to as “protected health information (PHI)”.
3) PHI is information that relates to: the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment for the provision of health care to the individual, and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.
4) The minimum necessary rule is a key protection of the HIPAA Privacy Rule. Under this rule, PHI must not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function.
5) Penalties range from $100-$50,000 or more per violation.
This content is being provided as an informational tool. It is believed to be accurate at the time of posting and is subject to change. It is recommended that plans consult with their own experts or counsel to review all applicable federal and state legal requirements that may apply to their group health plan. By providing this information, Meritain Health is not exercising discretionary authority or assuming a plan fiduciary role, nor is Meritain Health providing legal advice.