HIPPAA (HIPA) and Sarbanes-Oxley Laws Effect on Record Keeping

HIPPA, Health Insurance Portability and Accountability Act was passed by congress in 1996. "HIPPA is the first federal law to address health privacy in a comprehensive way" (HIPAA and Records Management) It directly affects all doctors, clinics, hospitals, dentists and other healthcare organizations. Employers with over 50 people provided health insurance; IT solutions providers who store patient records (data service providers) and other technical companies down the line (who provide the software) are also directly affected. Industries working with healthcare industries may be required to enter into a 'Business Associates Contract. HIPAA's privacy rules impact all organizations in some way and provide individual patrons new control over their patient records and how that data is used. For the most part HIPAA compliance was mandatory April 14, 2003. A lot of businesses are just beginning to realize that the HIPAA law is something they must comply with.

"According to privacy regulation, documents relating to uses and disclosures, authorization forms, business partner contracts, notices of your information practice, responses to a patient who wants to amend or correct their information, the patient's statement of disagreement, and a complaint record bust be maintained for 6 years (See 64 Fed. Reg. 59994)" (Calloway) Medical records as well as billing records on Medicare and maternal and child health must be retained for 6 years; health records must be retained for 2 years after a patients death. Al hospitals must retain medical records in their original/legally produced form for 5 years. Many healthcare providers maintain records for a longer period, due to statute of limitations (the time for suing) and for minors, until the age of 21.

HIPPA also affects electronic data and record keeping of all individual health info, on disk or electronic tape. The legislation "ensures the integrity and confidentiality of data by eliminating access to it by outside intrusion or by internal, unauthorized personnel." (Crowe) Access to the data must also be track able