After a final rule is issued by HHS, Congress has two months to review the rule. When those two months have expired, covered entities have 24 months to be in full compliance with the law or face penalties.
- When the rules are expected:
Security: Perhaps by the end of the year
- All healthcare providers, including hospitals, clinics, nursing homes, physicians, dentists and suppliers. Entities that furnish, bill or are paid for healthcare services in the normal course of business. Entities that transmit health information in electronic form in connection with specific transactions.
- All healthcare clearinghouses, including billing services and repricing companies.
- All health plans, including group health plans, health insurance issuers, HMOs, Medicare, Medicaid and government health care programs.
Any information, either oral or recorded in any form or medium that:
- is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school, university, healthcare clearinghouse,
- relates to the past, present or future physical or mental health or condition of an individual; the provision of healthcare of an individual or the past, present or future payment for the provision of healthcare of an individual, and identifies the patient, or there is reasonable basis to believe that the information can be used to identify the individual.
- Awareness, education, top management commitment
- Development of strategic approach
- Inventory of current status
- Risk assessment
- Standards selection
- Resource and cost estimation
- Business partner negotiation
- Operational policy and procedure development
- Implementation and testing
- Ongoing monitoring and compliance
- for general information: aspe.hhs.gov/admnsimp
- for potential new requirements: www.ncvhs.hhs.gov
- for implementation guides: www.wpc-edi.com/HIPAA