HIPAAPolicy

•Improve the portability and continuity of health insurance coverage for individuals. These provisions took effect in 1997 and protect individual health care coverage in the event of job loss or change.

•Combat waste, fraud and abuse in health insurance and health care delivery. HIPAA is an industry wide effort to improve health care administration, simplify billing and payment processes and protect personal health information.

•Standardize electronic data interchanges between health care organizations. This refers to the first of HIPAA's administrative simplification provisions to standardize electronic data interchange, or EDI. These regulations define more uniform methods to electronically bill and share health information between providers, payers and other organizations in both the private and public sectors.

•Protect the security, privacy and availability of individual health information. New HIPAA privacy regulations will change how health care providers, payers and employers use and release health information, allowing for enhanced security and individual control of personal health information. Proposed security standards will set reasonable and appropriate security measures that every organization must follow to maintain, store and process health care information. HIPAA security standards will ensure that appropriate protections are in place to ensure the integrity, confidentiality and availability of health related information.

HIPAA has three areas that concern MRCI: (1) privacy, (2) security and (3) the electronic transfer of protected health information. The privacy part of the regulations went into effect April 14, 2003.

Protected health information is individually identified health information, created or received, relating to the past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present or future payment for the provision of health care to an individual, regardless of its form including electronic information, paper records and oral communication.

HIPAA grants the following rights to individuals:

•Right to a written notice that describes how the covered entities use and disclose the individual’s protected health information.

•Right to prohibit the sharing of the individual's health care information except as permitted by the individual, or allowed by regulation.

•Right to request a restriction of the uses and disclosures of the individual's protected health information (although covered entities may not need to agree with these restrictions)

•Right to inspect and obtain copies of health information about the individual.

•Right to amend the health record where appropriate.

•Right to receive an accounting of disclosures of the individual's protected health information with some exceptions (disclosures for health care operations, payment and treatment purposes)

•Right to request that communications be sent to an alternative address.

•Right to complain to a specified person or office of covered entities and to the Department of Health and Human Services, Office for Civil Rights.

The HIPAA privacy regulations mandate that covered entities such as MRCI comply with the following administrative requirements.
Entities must:

•Designate privacy official who is responsible for the development and implementation of the HIPAA policies and procedures of the entity; Audrey Olsen is MRCI's privacy official.

•Document policies and procedures with respect to protected health information showing compliance with the HIPAA privacy regulations;

•Make reasonable efforts to limit the use and disclosure of protected health information to the minimum necessary to accomplish the intended purpose of the use or disclosure;

•Provide a process for access to the individual's health information;

•Develop a system for tracking disclosures of protected health information; with some exceptions, such as disclosures for payment, treatment or health care operations;

•Provide a process for individuals to amend their health records when appropriate;

•Develop business associate contracts or agreements that ensure business associates will comply with HIPAA requirements; (Our business associates might be CARF staff and other auditors.)

•Mitigate, to the extent possible any harmful effect that is known to the entity from the use or disclosure of private health information in violation of the entities' policies and procedures;

•Develop procedures for verification of the person requesting the protected health information and the authority of that person to have access;

•Provide a process for individuals to request alternative means of communication.

•Provide a process for individuals to request restrictions on the use of their health information;

•Provide a process for individuals to make complaints concerning the covered entity's policies and procedures or compliance with such policies and procedures;

•Refrain from requiring individuals to waive the right to complain to the covered entity or to the DHHS Office for Civil Rights as a condition of receiving treatment;

•Refrain from intimidating or retaliatory acts toward individuals exercising their rights granted under the HIPAA privacy regulations;

•Have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information;

•Provide training for workforce members on the policies and procedures protecting health information;

•Apply appropriate safeguards against members of its workforce who fail to comply with the policies and procedures of the entity;

•Develop and disseminate a privacy notice, which is available on another page of this site.

The law mandates that covered entities establish policies and procedures to implement HIPAA rule requirements. These policies and procedures are in manual form, titled MRCI - HIPAA Policies and Procedures.

HIPAA Policy

Privacy Practices