HealthPort & HIPAA
HealthPort's HIPAA Statement
April 2003 marked the compliance deadline for the HIPAA Privacy Rule. HealthPort's suite of technology and services meets or exceeds the requirements set by this rule.
How Does HealthPort's System Comply with HIPAA?
HealthPort's executives and legal counsel have thoroughly reviewed the Department of Health and Human Service's Transaction Standards, Security Standards, and the Privacy Standards including the Final Privacy Rule published in August 2002.
The Transaction Standards are intended to improve the efficiency and effectiveness of the U.S. health care system by establishing national standards for electronic health care transactions. The standards apply only to data transmitted electronically between healthcare providers and health plans. To the extent that these standards may be applicable to HealthPort's business, HealthPort has been in compliance, even prior to the HIPAA deadline. The Security Standards specify the steps that must be taken to ensure the security of protected health information that is transmitted electronically.
The Privacy Standards and the Final Rule, which required compliance by April 14, 2003, apply to all uses of individually identifiable health information, whether or not it is in electronic form. HealthPort's ROI services are subject to the Rule, as HealthPort is a "Business Associate" as defined within. HealthPort has worked closely with its member facilities to stay abreast of changing requirements and to help its members ensure compliance. Since HealthPort's business depends on ensuring the confidentiality and security of the data it handles, most of what is required under the Privacy Rule was incorporated into HealthPort's policies, procedures, and training prior to the April 2003 deadline.
HealthPort's Legal Position Regarding Patient Fees Under HIPAA
HealthPort's compliance with the provisions of the Privacy Rule under HIPAA (the Health Insurance Portability and Accountability Act) is as follows:
In Section 164.524(c)(4), HIPAA states that:
"If the individual requests a copy of the protected health information...the covered entity may impose a reasonable, cost-based fee, provided that the fee includes only the cost of: (i) Copying, including the cost of supplies for and labor of copying, the protected health information requested by the individual; (ii) Postage, when the individual has requested the copy...to be mailed, and (iii) Preparing an explanation or summary of the protected health information, if agreed to by the individual as required by paragraph (c)(2)(ii) of this section."
This reasonable, cost-based fee excludes charging individuals for such items as the records search, retrieval of the file, administrative costs, clerical costs, etc., although these items typically constitute a considerable percentage of HealthPort's cost for performing these services. In regulated states, the statutory/regulatory per-page fee is deemed to be reasonable for this "individual" fee purpose under HIPAA.
Attorney and insurer rates did not change under HIPAA. This is due to specific direction from the Department of Health and Human Services (HHS), the author of the HIPAA Privacy Rule. In the August 14, 2002, Final Rule published in the Federal Register of that date, Volume 67, No. 157, on page 53254, HHS states:
"The Department clarifies that the Rule, at Section 164.524(c)(4), limits only the fees that may be charged to individuals, or to their personal representatives in accordance with Section 164.502(g), when the request is to obtain a copy of protected health information about the individual in accordance with the right of access. The fee limitations do not apply to any other permissible disclosures by the covered entity, including disclosures that are permitted for treatment, payment and health care operations, disclosures that are based on an individual's authorization that is valid under 164.508, or other disclosures permitted without the individual's authorization as specified in 164.512...."
(Note: "personal representatives" are defined in 164.502(g) as (1) parents/guardians, or (2) administrators/executors of the estate of a deceased person, or (3) those who hold a healthcare power of attorney.)
This definitive statement by HHS in the Comments section of the Final Rule bolsters the language of the regulation as published in December 2000 in 65 Fed. Reg. 250, page 82824.
Return to Top