Compliance to HIPAA Privacy
RCC is required to adhere to rules established by the Health Insurance Portability and Accountability Act (HIPAA) of 1996 (the Privacy Rule). HIPAA, a federal law, governs:
- The privacy of identifiable health information – referred to as protected health information (PHI) – regardless of the format in which it exists (this includes electronic, written, and verbal information)
- Electronic data interchange and code set standards
- Security of PHI
HIPAA applies to health care providers, health plans, health care clearinghouses and such third parties that perform services involving PHI or exchange electronic data on behalf of RCC.
American Recovery and Reinvestment Act
On February 17, 2009, President Obama signed the American Recovery and Reinvestment Act (ARRA). ARRA, also known as the federal stimulus bill, includes both privacy and security related provisions that require, among other things, an amendment to the HIPAA Business Associate Terms and Conditions that RCC has in place with third parties that have access to patient information (called Business Associates).
Guidelines for Business Associates
If you either (a) agreed to the RCC Terms and Conditions for Business Associates or (b) are a new Business Associate, by continuing to perform services after February 17, 2010, you agree to comply with the Revised Terms and Conditions for Business Associates.
FTC “Red Flags” Rules
RCC must also address requirements related to the Federal Trade Commission’s (FTC) “Red Flags” Rules. The Rules were issued under the Fair and Accurate Credit Transactions Act (FACTA). The purpose of the Rules is to aid in the prevention, mitigation and response to incidents of identity theft.
FACTA has been interpreted so that health care providers, such as RCC, are “creditors” and are therefore subject to the Rules. The Rules provide that a creditor is responsible for ensuring its service providers are in compliance with the Rules as well.