American Heart Association
 Members Log On  Customer Service 
National Registry of CPR

HIPAA Information

HIPAA: Implications to the National Registry of CardioPulmonary Resuscitation

Congress passed the Health Insurance Portability & Accountability Act (HIPAA) in 1996. The Administrative Simplification section of HIPAA requires the US Department of Health and Human Services to mandate the use of specific electronic formats for various business transactions, and to specify the administrative and medical coding schemes to be used within those formats. It also mandates the development and implementation of national identifiers for patients, providers, payers, and employers, and the adoption of security and privacy standards appropriate for the protection of individually identifiable health care information. Health care providers, health plans, and health care clearinghouses are "covered entities" and must comply with HIPAA standards/regulations. Most covered entities have 24 months from the effective date of a final regulation to achieve compliance (though small health plans have 36 months to comply). Titles of the ten HIPAA standards, their status and whether they will affect the National Registry of CardioPulmonary Resuscitation (NRCPR) are below.

Health care providers, health plans, and health care clearinghouses are "covered entities" and must comply with HIPAA standards/regulations. Most covered entities have 24 months from the effective date of a final regulation to achieve compliance (though small health plans have 36 months to comply). Titles of the ten HIPAA standards, their status and whether they will affect the National Registry of CardioPulmonary Resuscitation (NRCPR) are below.

Summary of HIPAA Regulations and their impact on the NRCPR

  1. Standards for Electronic Transactions - Compliance required by October 16, 2002 or October 16, 2003 if extension plan submitted.
    - Not applicable to the NRCPR.
  2. Standards for Claims Attachments - Notice of Proposed Rule Making (NPRM) estimated publication date - August 2004.
    - Not applicable to the NRCPR.
  3. Standard Transaction for First Report of Injury - Industry currently working on a standard.
    - Not expected to be applicable to the NRCPR.
  4. Standards for Privacy & Individually Identifiable Health Information - Compliance required by April 14, 2003.
    • The AHA meets the definition of a business associate to NRCPR participants, which are HIPAA covered entities (health care providers).
    • NRCPR participants disclose protected health information (PHI), in the form of a limited data set, to the AHA through their data submissions. Therefore, they are required to have a Data Use Agreement (DUA) with the AHA describing the permitted uses of that PHI and stating that the AHA will appropriately safeguard the PHI it receives from participants.
    • The AHA has developed such a DUA and has distributed it to NRCPR participants.
  5. Standard Unique Identifier for Employers - Compliance required by July 30, 2004.
    - Not applicable to the NRCPR.
  6. Standard Unique Health Care Provider Identifier - Compliance required by May 23, 2007.
  7. Standard Unique Health Plan Identifier - Estimated publication date to be determined.
  8. Standard Unique Identifiers for Patients - Work halted due to privacy concerns.
    - Standards 6-8 are not applicable to the NRCPR.
  9. Security Standards - Compliance required by April 21, 2005.
    - Will affect the NRCPR. Will be reviewed in detail and the NRCPR will be compliant.
  10. Standard for Electronic Signature - Industry is working on this issue.
    - Not expected to be applicable to the NRCPR.

Digital Innovation, Inc.

Digital Innovation, Inc. (DI) administers the NRCPR for the AHA. DI uses NRCPR participants' PHI (limited data set) for the following purposes:

  • Creating the NRCPR central database that supports the quality assessment and improvement efforts of all participants.
  • Providing NRCPR participants with periodic reports that contrast its performance with respect to various aspects of in-hospital CPR to that of other similar hospitals that also participate in the NRCPR. These reports may include PHI for individual patients treated by the covered entity whose process of care or outcomes may make them worthy of peer review.

DI agrees to the same restrictions and conditions that apply through the Data Use Agreement to the AHA with respect to the protected health information.

Note: This statement does not constitute legal advice. If you have any questions about the applicability to your institution, please seek independent legal counsel.
 
Copyright © 2010. American Heart Association. All rights reserved.
phone (888) 820-3282  ::  email info@nrcpr.org  ::  fax (410) 838-1148