Academic journal article Journal of Accountancy

How Health Care Data Security Rules May Affect You: CPAs Need to Understand Their Responsibilities under HIPAA to Avoid Potentially Severe Civil and Criminal Penalties

Academic journal article Journal of Accountancy

How Health Care Data Security Rules May Affect You: CPAs Need to Understand Their Responsibilities under HIPAA to Avoid Potentially Severe Civil and Criminal Penalties

Article excerpt

CPAs working in many capacities are affected by changes in federal law that expand the requirements for maintaining patient health care data security:

* When providing consulting services to health care entities, CPAs may receive protected patient information.

* Patient data may come into possession of CPAs providing litigation support--including in divorce cases and claims by or against health care providers.

* CPAs testing internal controls as part of audit procedures may receive patient health care data.

The recent revisions to a federal law best known for its patient privacy and data security rules have important implications that CPAs will need to consider carefully in the context of the services they provide. Violators of these new regulations may be subject to civil and criminal penalties, so developing an understanding of the new rules is a must.

The Health Insurance Portability and Accountability Act (HIPAA), PL. 104-191, is a far-reaching piece of legislation that originated in 1996, when it was known as the Kennedy-Kassebaum Act, named after the two U.S. senators who sponsored it. HIPAA contained important sections on fraud and abuse enforcement, income taxation (including expansion of the repatriation tax), and, notably, health insurance and limitations on preexisting condition exclusions and other antidiscrimination rules. Thus, it is integral to an understanding of the context of the Patient Protection and Affordable Care Act (PPACA), PL. 111-148, as well.

As part of a comprehensive overhaul of electronic data storage and transmission requirements, 2009's Health Information Technology for Economic and Clinical Health (HITECH) Act (passed as part of the American Recovery and Reinvestment Act of 2009, EL. 111-5) significantly expanded the reach of HIPAA's privacy rules beyond "covered entities," which are defined as health plans, health care clearinghouses, and health care providers that electronically transmit health information. Regulations under the HITECH Act's revisions to HIPAA were published as part of the HIPAA Omnibus Final Rule in January 2013 and went into effect in September 2013.

The notable changes wrought by the HITECH Act include expansion of the patient protection provisions, and more importantly for CPAs, the expansion of the requirements for maintaining patient health care data security beyond health care providers and to their "business associates." Understanding HIPAA is thus more important than ever for CPAs with clients in the health care industry, or with clients who deal with health care industry clients.

HIPAA coined a number of defined terms that CPAs need to be familiar with to implement appropriate practices in their firms.

PROTECTED HEALTH INFORMATION

Protected health information (PHI) is individually identifiable health information that is held or transmitted by a covered entity. Individually identifiable health information is defined as information, including demographic data, that identifies the individual (or that could reasonably be used to identify the individual), relating to at least one of the following:

* The individual's past, present, or future physical or mental health or condition;

* The provision of health care to the individual; or

* The past, present, or future payment for the provision of health care to the individual.

PHI includes individually identifiable health information transmitted by electronic media, maintained in any medium described in the definition of electronic media, or transmitted or maintained in any other form or medium. Merely knowing of the provision of health care to an individual through an engagement is considered PHI, and, for purposes of HIPAA, conversations about a patient constitute transmission of PHI. Dentists, physical therapists, home health aides, and many social workers are covered by HIPAA, in addition to physicians, hospitals, nursing facilities, imaging centers, and all forms of health care providers. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.