Membership: Three Standards of HIPAA

Overview of The Three Standards of HIPAARelevant to Psychotherapists

Barney McDowell 3-10-03

I. Health and Human Services published three separate “standards”required of all “covered entities”: 1)the Privacy Standards, 2) the Security Standards, and 3) the TransactionStandards. The “standards”are sometimes called “Rules”.

II. The first task for each health careprovider is to determine if the law considers them to be a “coveredentity” or “non-covered entity”:

A. If a provider qualifies as a non-covered entity, the law simplydoesn’t apply to their practice. (Seeour separate section on this topic!)

B. If a provider is “covered”, different requirementsensue for each of the three rules:

1) the “Privacy Standard” applies to “uses and disclosures”of all “protected health information” in paper, electronic, or oral forms. This is addressed in the bulk of the materials you will find under ourHIPAA Help section.

2) the Transaction Standards applies only to electronic “transactions”;this ‘rule’

amounts toprescribed software codes that have been issued by the

governmentfor how protected health information must be guarded when

transmittedelectronically.

3) the Security Standards specifies “physical, administrative, andtechnical” protective measures against unauthorized “access, alteration,deletion, and transmission” of electronic information that is “created,maintained, received, or transmitted”.

III. DifferentDeadlines for Compliance for Each of the Three Standards

A. Privacy Standards: April 14,2003

B. Security Standards: April21, 2005

C. Transactions Standards: Thisis already in effect as of October 16, 2002--unless a covered entity filed foran extension before that date; also if a covered entity hasn’t ever done anelectronic transaction and hasn’t filed an extension, April 14, 2003 will bethe compliance date if, indeed, they ever do participate in an electronictransaction.