The Health Insurance Portability & Accountability Act of 1996 (August 21), Public Law 104-191, which amends the Internal Revenue Service Code of 1986. Also known as the Kennedy-Kassebaum Act.

Title II includes a section, Administrative Simplification, requiring:

1. Improved efficiency in healthcare delivery by standardizing electronic data interchange, and
2. Protection of confidentiality and security of health data through setting and enforcing standards.

More specifically, HIPAA calls for:

1. Standardization of electronic patient health, administrative and financial data

2. Unique health identifiers for individuals, employers, health plans and health care providers

3. Security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present or future.

The bottom line: sweeping changes in most healthcare transaction and administrative information systems.

WHO IS AFFECTED?
All healthcare organizations. This includes all health care providers, even 1-physician offices, health plans, employers, public health authorities, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations, and universities.

ARE THERE PENALTIES?
HIPAA calls for severe civil and criminal penalties for noncompliance, including: -- fines up to $25,000.00 for multiple violations of the same standard in a calendar year -- fines up to $250,000.00 and/or imprisonment up to 10 years for knowing misuse of individually identifiable health information

COMPLIANCE DEADLINES?
 Most entities have 24 months from the effective date of the final rules to achieve compliance. Normally, the effective date is 60 days after a rule is published. The Transactions Rule was published on August 17, 2000. So the compliance date for that rule is October 16, 2002. The Privacy Rule was published on December 28, 2000, but due to minor glitch didn't become effective until April 14, 2001.
Compliance is required for the Privacy Rule on April 14, 2003.

HOW WILL WE BE AFFECTED?
 Broadly and deeply. Required compliance responses aren't standard, because organizations aren't. For example, an organization with a computer network will be required to implement one or more security authentication access mechanisms - "user-based," "role-based," and/or "context-based" access - depending on its network environment.

Effective compliance will require organization-wide implementation. Steps will include:

·      Building initial organizational awareness of HIPAA

·      Comprehensive assessing of the organization's information security systems, policies and procedures

·      Developing an action plan with deadlines and timetables

·      Developing a technical and management infrastructure to implement the plan

·      Implementing a comprehensive action plan, including