The Health Insurance Accountability and Portability Act (HIPAA) helps to protect the privacy of patients by giving them certain rights over the use of their medical information, and providing limitations on who may have access to this information.
HIPAA (Health Insurance Accountability and Portability Act) was mandated by the federal government in 1996 in an attempt to secure the privacy of health information and to establish standards for transactions that were undertaken electronically, such as those for health insurance claims. This standardization, originally suggested as a cost-saving measure by healthcare groups, eventually evolved to include federal protection of privacy with the introduction of the "Privacy Rule," effective in 2001, for individually identifiable health information. This mandate established standards that dictated the use and disclosure of "protected health information " (PHI), and addressed issues such as administrative handling of information and the keeping of records, as well as the rights of individuals for whom health information is related. Additional protections of privacy may be added to the national regulations outlined in HIPAA, as necessitated by federal or state rulings, as well as institutional guidelines. The misuse of PHI is subject to civil and criminal penalties ranging from monetary penalties up to imprisonment, based on the nature of the violation.
HIPAA regulations apply to various members of the medical team involved in patient care such as doctors, nurses, and those conducting clinical research studies. It is applicable to a variety of settings such as private medical practices, hospitals, nursing homes and pharmacies. HIPPA also affects the administrative communication of medical information that occurs in HMOs, insurance carriers, health care clearinghouses, and government programs such as Medicaid and Medicare. These specific "covered entities" are outlined in HIPAA regulations and must comply with the privacy rules.
The term "covered entities" refers to health care providers, health plans, and health care clearinghouses. Health care providers include organizations or individuals that provide health care such as doctors, nurses, hospitals, dentists, optometrists, pharmacies, and nursing homes, as well as medical equipment supply companies. Those who conduct electronic activities involving PHI, such as billing departments, are also considered covered entities. Health plans that pay for the medical care, such as HMOs and group health plans that insure employees, are considered covered entities, as are clearinghouses that may be involved in transferring of medically coded financial information.
There are various types of information that may be protected. Protected health information includes information that has the potential to identify an individual, and that may be communicated in written form on paper and electronically, and orally, such as:
- Information that had been compiled by health care providers or plans, employers, and health care clearinghouses. For example, activities such as determining enrollment and eligibility.
- Items that identify the individual, such as medical records in electronic or written form. Also, information that could potentially identify an individual, such as names, telephone numbers and e-mail addresses, employers, social security numbers, medical record numbers, serial numbers for implants, photos, names of relatives, etc.
- Demographic information collected on the individual, such as addresses, age, etc.
- Information that is relevant to the past, present, and future health of the individual, either physical or mental.
- Information involving what health care was provided to the individual.
- How the health care is financed for the individual, either past, present, or future.
Disclosure of PHI
Covered entities are required by HIPAA to attempt to reasonably minimize the use and disclosure of PHI, as well as to minimize the requests that are made for this type of information, as dictated by the "minimum necessary standard." If the information is not necessary to carry out a particular task or function, nor does it serve a specific purpose, then it should not be disclosed. However, the transfer of medical information between caregivers is necessary to provide comprehensive care, and the need for privacy should be appropriately balanced with this effort. The conditions under which minimum necessary information can be disclosed are generally divided into three categories:
- Information required for treatment. This would involve those who are responsible for the administration and management of the treatment administered to the patient and would cover discussions by members of the medical staff, consultations, and referrals.
- Information required for payment of treatment. This would involve interactions between the health care providers and those that will be involved in the payment for the treatment, such as health care plans and government programs such as Medicaid and Medicare.
- Information required for performance of health care operations. This includes the general administrative, financial, and legal aspects required to operate a health care institution. It would include information required for licensing, to obtain accreditation, operation of compliance programs, medical reviews, training of employees, and other aspects involved in coordinating patient care and administering the delivery of such care.
Polices within the health care setting are often adopted that further limit the disclosure of PHI, based upon the job duties of employees and the nature of the information that is necessary to perform their tasks.
There are instances, however, when information may be disclosed by covered entities and governmental divisions with the appropriate discretion. Such cases are:
- Information about the patient when it is given directly to the patient.
- The information is requested by health care providers to treat the patient.
- The patient specifically authorizes the release of medical information.
- The information may negatively impact the health of the public at large, and thus the minimum necessary information would be reported to the appropriate public health authority. Examples of this would be reporting a highly communicable disease to the Center for Disease Control and Prevention, reporting findings about the adverse effects of a drug to the Food and Drug Administration, or reporting information such as births, deaths, injuries, or information that relates to public health or workplace medical surveillance.
- Disclosing information as required for compliance with workers compensation laws.
- Reporting information in cases of child abuse and domestic violence.
- Reporting information during emergency situations.
- The information may be disclosed to identify the remains of a deceased person or released to a coroner to determine the cause of death.
- Limited information that has been collected for the purposes of research, as previously approved by an Institutional Review Board (IRB) or Privacy Board.
- Information pertinent to law enforcement or judicial investigations.
- Information needed for issues of national security.
- Information used for the donation of tissues, eyes, and organs.
To determine if it is appropriate to disclose certain information, it is necessary to consult with one's institutional administration for standard practices, as well as information that can be available from the federal government and professional associations as well as the appropriate legal counsel.
A delicate balance exists between the demands for individual privacy and the reality of operating a healthcare system to benefit society. HIPAA was designed to be structured to the extent that it meets the expectation for individual privacy, yet flexible enough so that the basic operations of healthcare and biomedical research can be performed. It was also designed to accommodate new methods of information technology transfer as our healthcare system evolves in the future. The basic structure of HIPAA reflects this balance.
HIPAA was designed to protect patient privacy rights. As such, patients have certain rights that include, but are not limited to:
- The right to review and obtain copies of their medical records from a designated record set. There are restrictions on psychotherapy notes, and in some states there may be restrictions on test records from clinical laboratories. They also have the right to have errors in their medical records corrected.
- The right to receive a "Notice of Privacy Practices" about how their PHI is going to be used and their rights under the privacy rules. There may also be elements of additional state regulations included in this notice.
- The right to determine if their PHI can be shared for other purposes not specifically related to their healthcare such as sharing information for marketing purposes with pharmacies, health plans, and life insurance companies.
- The right to receive a record of the disclosures of PHI, when they occurred, to whom the information was given, and a description of the purpose of the disclosure.
- The right to request confidential communication of their PHI.
- The right to file a complaint with the provider, insurer, or the Health and Human Services Office for Civil Rights if they feel their rights have been violated.
Patients should consult with their health care providers, insurance companies, and the wealth of information available on government websites for additional information on how to protect their privacy.
HIPAA requires that healthcare providers, healthcare plans and insurers, and governmental plans take an active administrative role in protecting the privacy of patients. This does not necessarily represent impedance to the daily administration of healthcare, as HIPAA compliance offers some advantages to healthcare providers. HIPAA is structurally flexible, in that it allows providers to communicate to deliver quality healthcare and carry out beneficial activities such as medical research. It also allows institutions to carry out the daily mechanics of running the business and administrative tasks of healthcare management. The data collection that results from the process can be useful in analyzing administrative practices with new information technologies as they are developed, such as cost-benefit analysis, in the medical care setting.
In general, the establishment of HIPAA involves the following broad activities for providers and healthcare plans and administration:
- Preparation and enforcement of a written description of how the HIPAA rules are met in their administrative practices.
- Preparing appropriate documentation to meet HIPAA regulations.
- Informing patients of their privacy rights for PHI through a "Notice of Privacy Practices."
- Development of documentation that allows the use of PHI by patients for certain purposes (authorization and consent documents).
- Appointment of a "Privacy Officer" who works to develop the privacy practices within a given area, as well as the assignment of contact persons who will work with the public as it interacts with the system.
- Training of employees involved in the sensitive use of PHI with the appropriate privacy regulations, as well as what can be disclosed per the HIPAA rulings.
- Establishment of safeguards at the physical, administrative and technical levels to prevent the disclosure of protected health information, including situations where the information has the potential to be accidentally disclosed.
- Establishing a plan of action that will be undertaken when privacy has been violated.
- Mitigation of negative effects of any privacy violations, with no retaliation.
These goals for HIPAA compliance may be somewhat challenging for smaller medical practices that may be working on limited resources, but the HIPAA rulings were designed with some flexibility so as to be achievable in a variety of settings.
HIPAA affects situations that one might encounter through the practical, daily operations of medical care. It is important to remember the patient's privacy expectations. Some practical applications of this concept for daily activities would include:
- Use a low voice when discussing patient information, and avoid discussing patient information (such as names, details of treatment, etc.) in public areas where it may be overheard, such as hallways, elevators, and the waiting room.
- Not displaying medical information next to the patient's name on a sign-in sheet for patients in a public waiting room.
- Try to meet the privacy needs of the patient and their family if they are sharing a room with another patient.
- Take care to properly identify individuals who may be inquiring about the patient's condition and use discretion when discussing details. Relay accurate information only as necessary with sensitivity to the privacy wishes of the patient.
- Place charts in holders such that they can not be viewed by others who might be passing by if they are located in hallways that are accessible to the public.
- When using a computer to view patient records at a nursing station or administrative desk, close out the screen when the work has been finished. Also, do not print hard copies of any information that one does not "need to know" in order to perform a task.
- Do not share computer passwords to systems that store PHI, and frequently change them if possible.
- Do not leave medical records lying open on desks so that others may inadvertently view them.
- Take care to appropriately secure areas where patient information may be stored as specified by the HIPAA compliance procedures outlined by the institution.
- Make sure that all patient information reproduced through faxes and printers arrives at a secure location, away from the public view, and that this information is retrieved as soon as possible.
- Limit the amount of PHI used in an e-mail or fax as recommended by the institution.
- Do not allow unauthorized persons to use computer systems where private information may be stored (e.g., a family member or friend visiting the office uses the computer to check an e-mail and inadvertently views private information of a patient).
- Do not look up medical information as a favor to friends and family members.
- Properly dispose of all paper documentation that may have PHI per the institution's recommendations (e.g., shredding of documents).
- If involved in a clinical study, be informed of the research details as outlined in the IRB documentation, and keep information collected for research purposes, such as medical information and authorization documents, in secure locations as dictated in the IRB. Maintain security of identifiers and destroy this information when it is no longer needed.
HIPAA— Health Insurance Portability and Accountability Act. A set of rulings passed by the federal government designed to facilitate electronic transactions by standardization, as well as the protection of the confidential nature of individual health information.
PHI— Protected Health Information. Protected health information includes information that has the potential to identify an individual, and which may be communicated in paper, electronic, and oral forms.
Covered Entities— Health care providers, health plans, pharmacies, and health care clearinghouses.
Minimum Necessary Standard— The requirement dictated by HIPAA to reasonably minimize the use and disclosure of PHI, as well as to minimize the requests that are made for this type of information, as it refers to the conduct of employees that will have access to PHI.
Need-to-Know— The concept that those individuals who are handling PHI should have access to only that information that is necessary for them to perform their job functions.
Notice of Privacy Practices— A requirement by HIPAA that individuals are informed through a written notice of the privacy practices that are used by their health care providers and health plans, as well as their privacy rights regarding their protected health information.
When working in the healthcare setting, it is important to consult with the guidelines established by one's institution and to participate in any training programs to insure that the appropriate steps are being taken to maintain privacy. There are also a variety of additional resources available from the federal government and professional organizations to assist in the training process that may be especially helpful to those who are working in smaller medical practices or clinics with limited resources. Taken together, such actions, as guided by the HIPAA regulations, promote the patient's confidence in the ability of their health care provider to honor their commitment to maintain privacy and deliver a high standard of quality health care that meets society's needs.
Root, J., D. C. Kibbe, M. Hubbard, and C. P Hartley. Field Guide to HIPAA Implementation. American Medical Association, 2004.
Hubbard, M. W., K. Glover, and C. P. Hartley HIPAA: Policies & Procedures Desk Reference. American Medical Association, 2003
Muhlbaier, L. HIPAA in Clinical Trials: A Practical Guide for Research Compliance. HCPro, 2003
Erickson, J., and S. Millar. "Caring for Patients While Respecting Their Privacy: Renewing Our Commitment." Online Journal of Issues in Nursing Vol. 10 No. 2, Manuscript 1. (May 31, 2005), http://nursingworld.org/ojin/topic27/tpc27_1.htm