HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. The initial implementation of HIPAA requirements occurred in 1996 – yes, it has been that long! The portability requirements of HIPAA required our clients to address their pre-existing condition limitations, implement certificates of creditable coverage, address special enrollment requirements and ensure there was no discrimination due to health status.

Most of these implementations required plan changes that have now been addressed by ABPA’s clients. However, Plan Sponsors needed to ensure that their covered individuals received a certificate of creditable coverage and their revised plans were administered according to the new HIPAA requirements. That’s where ABPA came in. We distribute the certificates of creditable coverage on behalf of our clients and administer their plans as required by the HIPAA regulations and our clients’ own unique requirements.

 

For additional information refer to these Department of Labor’s Websites:

      HIPAA Fact Sheet

 

 

In addition to the portability requirements, HIPAA implemented the “Administrative Simplification Rules”. Sounds “simple”, right? Unfortunately, that is not the case. This portion of HIPAA addresses privacy, security, electronic transactions and code sets and unique identifiers standards.

 

For more information about the HIPAA Administrative Simplification Rules see the Health and Human Services website. 
 

 

Under the privacy and security standards, ABPA’s clients need to ensure that their covered individuals’ PHI (Protected Health Information) is protected from unauthorized uses and disclosures whether the information is in written, oral or electronic format. ABPA goes to great lengths to ensure that the PHI we use and disclose is protected.

ABPA has designated members of our workforce to serve as privacy contact persons. The designated privacy contact persons oversee all ongoing activities related to the development, implementation, maintenance of, and adherence to our policies and procedures. These policies and procedures cover the privacy of, and access to, PHI in compliance with HIPAA.

All employees and members of ABPA’s contracted workforce have been trained on the HIPAA privacy policies and procedures with respect to PHI. All new employees and members of our contracted workforce are trained within a reasonable period of time after they join our workforce. The designated privacy official or contact person is charged with ensuring that training programs are developed so that all workforce members receive the training necessary and appropriate to permit them to carry out their functions within the company.

We have established appropriate technical and physical safeguards to prevent PHI from intentionally or unintentionally being used or disclosed in violation of HIPAA’s requirements as outlined in our Business Associate Agreements. Technical safeguards include limiting access to information using computer firewalls. Physical safeguards include locking exterior doors and limiting visitor access to areas where sensitive information may be present.

Firewalls will ensure that only authorized workforce members or employees will have access to PHI, that they will have access to only the minimum amount of PHI necessary to perform their job functions, and that they will not further use or disclose PHI, other than as permitted under the HIPAA’s Privacy Rule as outlined in our Business Associate Agreements.

Sanctions for using or disclosing PHI in violation of the HIPAA Privacy or Security rule or our own privacy policies, procedures, and practices will be imposed on employees and members of our contracted workforce in accordance with our discipline policy, up to and including termination of employment.

We will take steps to correct, to the extent practicable, harmful effects known to us that result from unauthorized uses and disclosures of PHI in violation of the HIPAA Privacy Rule or our privacy policies, procedures and practices. All employees or members of our contracted workforce that become aware of such violations are required to immediately report them to management or to the appropriate HIPAA contact person so that the appropriate steps can be taken to mitigate harmful effects.

No workforce member or employee may intimidate, threaten, coerce, discriminate against, or take other retaliatory action against individuals for exercising their rights, filing a complaint, participating in an investigation, or opposing any improper practice under HIPAA.

Furthermore, no individual shall be required to waive his or her privacy rights under HIPAA as a condition of payment, enrollment or eligibility.

Acting on behalf of our clients, we document our policies, procedures, and practices in writing (as well as any changes thereto). We also document certain events and actions as required by HIPAA, including disclosures, authorizations, requests for information, sanctions and complaints and responses. We maintain all documentation for at least six years from the date of its creation or the date it was last in effect (whichever is later) or longer if required by state law or ABPA’s policy.

We require all agents and subcontractors who access PHI to sign and accept the conditions of the Business Associate Agreement. We document, in writing, all agreements with our agents, subcontractors and business partners with whom we share PHI.
 

The American Recovery and Reinvestment Act of 2009 (ARRA) added several provisions. One of those provisions is the Health Information Technology for Economic and Clinical Health Act or “HITECH”. This provision made several changes to HIPAA requirements, including requiring Business Associates to directly comply with HIPAA. In addition, the breach notifications requirements were updated to require timely notice tothe Covered Entity, participants and Health and Human Services “HHS”. Other changes include additional rights for individuals and additional enforcement provisions. The good news for our clients is that, from inception of HIPAA, ABPA had created its HIPAA policies and procedures as if we were a Covered Entity. Therefore, changes were required to ABPA policies and procedures, Business Associate Agreements and employee training programs.