The Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) established standards for the privacy and protection of individually identifiable electronic health information as well as administrative simplification standards. HIPAA includes protection for those who move from one job to another, who are self-employed, or who have preexisting medical conditions, and places requirements on employer-sponsored group health plans, insurance companies, and health maintenance organizations.

In December 2000, the final rules on standards for privacy of individually identifiable health information were published in the Federal Register. The rules include standards to protect the privacy of individually identifiable health information. The rules (applicable to health plans, health care clearinghouses, and certain health care providers) present standards with respect to the rights of individuals who are the subjects of this information, procedures for the exercise of those rights, and the authorized and required uses and disclosures of this information. These are the first-ever national standards to protect medical records and other personal health information.

The standards:

  • Limit the nonconsensual use and release of private health information.
  • Give patients new access to their records and let them know who else has accessed them.
  • Restrict most disclosure of information to the minimum needed for the stated purpose.
  • Establish criminal and civil sanctions.
  • Establish requirements for access by researchers and others.

Providers will be required to obtain advance written consent from their patients to disclose information and to provide those patients with written information on their privacy rights.

The regulations became effective April 14, 2001. Health care providers were, however, not forced to fully comply with the changes until April 14, 2003.

In response to this regulation, many claim processors have updated and instituted a variety of confidentiality, indemnification, or business associates agreements to protect their organizations when third parties request claim information. In certain instances the auditor has been willing to sign such contracts but the third-party administrator has interpreted the new HIPAA regulations to not allow outside auditors access to the detail claims information. Some believe that as long as the health information is protected by a privacy contract signed by the auditor, the third-party administrator should provide access to a plan's claim information for purposes of performing an audit of the plan’s financial statements to be attached to the Form 5500 filing with the DOL.

On February 20, 2003 the security rules under HIPAA were finalized. The rules are effective for most health plans on April 21, 2005 (small health plans, as defined, will have until April 21, 2006 to comply).

A scope limitation could result when an auditor is unable to obtain access to records as a result of not signing a confidentiality agreement, or a third-party administrator's refusal to provide access under any circumstances.