Healthcare Regulations

A. Health Information Portability and Accountability Act (HIPAA) of 1996

1. Titles (there are only two)

Title I: protects workers and their families from loss of coverage when they change or lose their job

Title II: The Administrative Simplification (AS) provisions require establishment of national standards

2. Goals

  • Records portability
  • Reduce waste, fraud and abuse
  • Reduce costs
  • Protect patient privacy

3. Requirements

  • Dictates backup and restore P&P,
  • offsite backup with a provider including an SLA for rates,
  • scope and
  • minimum standards.

4. The Privacy Rule requires accounting of all disclosures of PHI by Covered Entities (CEs):

  • Providers
  • Health plans
  • Clearinghouses like billing operations
  • Business Associates (BA), which require a Business Associate Agreement (BAA)

Individually identifiable health information created by a CE or a BA is Protected Health Information (PHI):

  • Past, present or future
  • Mental and physical
  • Payment information
  • Provision information
  • As long as retained by provider
  • Even after death

Deidentified Information

Must be certified by statistician or expert

May be deidentified by an “encoder” program

18 key identifiers removed

Birth Date ONLY removed if patients are 90 or older!

Practical Requirements

  • Employee training
  • Privacy P&P
  • Privacy Officer
  • Entities must limit use or disclosure of PHI to the minimum necessary number of people.

Parents and family do NOT have an automatic right to patient records.

Birth parents of a foster child do NOT have a right to patient records.

Family members do NOT have a right to records for custody cases.

Privacy Rule is enforced by the Office for Civil Rights (OCR).

5. The Security Rule mandates technical safeguards and logging of all PHI releases.

Specifies Administrative, Technical and Physical safeguards for HIPAA compliance.

Regulates electronically transmitted or stored information (ePHI).

CEs must ensure officers and employees comply with the Security Rule, usually through training requirements.

Logging was first mandated by this rule.

6. The Identifier Rule mandates that CEs have a National Provider Identifier (NPI).

7. The Transaction and Code Sets Rule regulates electronic data interchange (EDI) formats.

Transactions include all documents, insurance claims, encounter records, insurance enrollment and disenrollment, eligibility documents, payment and remittance records, first reports of injury and coordination of benefits.


B. ARRA – the American Recovery and Reinvestment Act of 2009, overseen by the ONC

1. The HITECH Act requires providers and third parties to comply with HIPAA regulations.

  1. Tougher penalties
  2. Express permission of patient required for disclosure
  3. Sale of PHI limited
  4. Patients can audit records
  5. Encryption required
  6. Requires public notice of breach

Requires records of creation, modification, deletion or printing of anything containing PHI, including emails.

*Business Associates (BAs) now have to comply with the Security Rule the same as CEs.*

HHS must be notified of any data breach of more than 500 patients. (Patients must also be notified?)

HITECH Act Enforcement

Unknowing violations, despite due diligence
$1000 – $25,000/yr/violation. {CONFIRMED}

[CHECK NEW] For reasonable cause,
but not willful neglect,
$1000 – $100,000/yr/violation.

[CHECK NEW] For willful neglect (a civil penalty),
if corrected within 30 days from knowledge of violation,
$10,000 – $250,000/yr/violation.

For willful neglect that goes uncorrected,
$50,000 – $1,500,000/yr/violation
+ up to 1 year in prison.

Obtaining PHI through wrongful conduct that involves false pretenses,
+ up to 5 years in prison.


HIT Regional Extension Centers (RECs) promote HIT

Part IV specifies Medicare and Medicaid incentives for:

  • Prospective payment system (PPS) hospitals, paid based on diagnosis, not costs (a Medicare Part A system)
  • Critical access hospitals (CAHs), which get cost-based reimbursement from Medicare

HITECH and Meaningful Use

  • EHRs must be certified
  • Must be used in a meaningful manner, including electronic prescriptions
  • Must collect and submit quality-measure data
  • Must be used to exchange information to improve the quality of healthcare

Financial Incentives for EHR adoption under HITECH have been diminishing by year:

2012: $18,000

2013: $15,000

2014: $12,000

2015: $8,000

2016: $4,000

C. Code of Federal Regulations (CFR)

Title 21 CFR Part 11

Defines the criteria for electronic records and signatures to be considered trustworthy, reliable and equivalent to paper records.

Applies to FDA-regulated entities: drug makers, device manufacturers, biotech firms etc.

Requires controls and audit trails for system validations, electronic signatures and software and system documentation.

Part 20

Covers what info may or may not be shred with the general public.

Part 7

Enforcement policies for food, drugs and cosmetics

D. The Patient Self Determination Act (1990)

“Preserves the patient’s wishes, right, healthcare options and advanced directives even if the decision results in the death of the patient.”


E. The Patient Bill of Rights

Eight rights every patient has

  • To file a complaint


Legal practices

Informed Consent – consent of a patient to treatment or trial after understanding of facts and risks

Legally binding contracts require

  • Payment or consideration between parties
  • No illegal activities
  • Actions of parties must be described
  • Agreement without threat or duress

Memorandum of Understanding (MOU)

Good MOUs include:

  • use plain language
  • identify all parties
  • outline expectations of all parties
  • specify termination process

Rights of Minors

A minor child can request and receive treatment, without parental consent, for:

  • Drug or alcohol abuse
  • STDs

Service Level Agreements – define a provider’s responsibilities when providing a service by performance measures:

  • Downtime: maximum periods allowed
  • Downtime period: how long a service must be non-functional to be considered “down”
  • Monthly uptime percentage
  • Scheduled downtime for service
  • Service credit: compensation for downtime, often in “free time”

Waivers of Liability – signed by patient to indemnify providers (not allowed in some states)