beige arrow Home
beige arrow Contact Details

Line

HIPAA Compliance

Confidential FoldersHIPAA

Signed into law on August 21, 1996, the Health Insurance Portability and Accountability Act (HIPAA) - also known as the Kennedy/Kassebaum Act (PL 104-191) - was originally intended to ensure the portability of health insurance when an individual moves from one health plan to another. As the bill progressed through the federal legislative process, its scope expanded.

  • Title I addresses healthcare access and the portability and renewability of health insurance plans.
     

  • Title II addresses fraud and abuse and the resulting penalties as well as administrative simplification and the privacy of individually identifiable health records.
     

  • Titles III, IV, and V amend the Internal Revenue Code and address medical savings accounts and other tax-related provisions.

Title II

Title II requirements are expressed through the Privacy Rule, the Security Rule, and rules regarding Transaction and Code Sets.

Privacy Rule

Under the Privacy Rule:

  • A covered entity and its business associates must protect individually identifiable health information.
  • A covered entity is a health care provider who transmits any health information electronically in connection with certain transactions; or a health plan or health care clearinghouse.
  • A business associate is a person who performs a function or activity on behalf of, or provides services to, a covered entity that involves individually identifiable health information. A business associate is not a workforce member. A covered entity can be a business associate to another covered entity.
  • A covered entity may not use or disclose protected health information except as permitted or required by the Privacy Rule.
  • Protected health information (PHI) is individually identifiable health information that is transmitted or maintained in any form or medium by a covered entity or its business associate.
  • Protected health information must be disclosed to the individual (if requested) and to the federal Department of Health and Human Services if needed to investigate or determine compliance with the Privacy Rule.
  • Any person who believes a covered entity is not complying with the Privacy Rule may file a written complaint.
Security Rule

The Security Rule establishes standards for protecting individually identifiable health information when it is maintained or transmitted electronically. Under HIPAA security standards, health insurers, certain healthcare providers, and healthcare clearinghouses must establish procedures and mechanisms to protect the confidentiality, integrity and availability of electronic protected health information. The rule requires covered entities to implement administrative, physical and technical safeguards to protect electronic protected health information in their care.

The major difference between the Security Rule and the Privacy Rule is that the former concentrates on electronic information and the latter encompasses electronic, oral and physical information.

The second significant difference between the Security Rule and the Privacy Rule is the enforcement agency. The federal Centers for Medicare & Medicaid Services (CMS) is responsible for implementing and enforcing the security standards, the transactions standards, and other HIPAA administrative simplification provisions, except for the privacy standards. HHS' Office for Civil Rights is responsible for implementing and enforcing the privacy rule.

Complaints

You have the right to file a complaint if you believe that the County of San Bernardino has given out or used your personal health information inappropriately. You may contact either:

  • County of San Bernardino HIPAA Complaints Official  HIPAAComplaints@cao.sbcounty.gov                                            

157 West Fifth Street, First Floor 

San Bernardino CA 92415-0400                                                        

(909) 387-8950 fax                                                                           

(909) 387-4500 phone

Under the HIPAA rules it is unlawful for an employee of San Bernardino County to take an action against you because you:

  • Filed a complaint;
  • Helped with an investigation; or
  • Opposed a practice that you think is unlawful under HIPAA.

If you believe that an action was taken against you contact the complaints officer.

Additional Information

Additional information regarding the Privacy Rule is available at http://www.hhs.gov/ocr/hipaa/. Additional information regarding the Security Rule is available at htttp://www.cms.hhs.gov/SecurityStandard/.