What is HIPAA?

The DHHS issued a press release entitled, "Protecting the Privacy of Patient's Health Information," which begins with the statement:

"Each time a patient sees a doctor, is admitted to a hospital, goes to a pharmacist or sends a claim to a health plan, a record is made of thier confidential health information. For many years, the confidentiality of those records was maintained by our family doctors, who kept our records sealed away in file cabinets and refused to reveal them to anyone else. Today, the use and disclosure of this information is protected by a patchwork of state laws, leaving large gaps in the protection of patients' privacy and confidentiality. There is a pressing need for national standards to control the flow of sensitive patient information and to establish real penalties for the misuse or disclosure of this information"

HIPAA provides national privacy standards. HIPAA is an acronym for the Health Insurance Portability and Privacy Act of 1996, also know as the Kennedy-Kassebaum Act and covers three areas:

  1. Insurance Portability - ensures that individuals moving from one health plan to another will have continuity of coverage and will not be denied coverage under pre-existing condition clauses;
  2. Fraud enforcement (accountability) – significantly increase the federal government's fraud enforcement authority in many different areas;
  3. Administrative simplification (reduction in health care costs) – through Standards for Electronic Transactions (standards to ensure that information regarding health care insurance claims, payment and enrollment is maintained and transmitted by compatible electronic systems) and Standards for Security of Electronic Information systems (security standards).

HIPAA Privacy Compliance. Ensures that personal medical information shared with doctors, hospitals and others who provide and pay for healthcare is protected:

  1. Imposes new restrictions on the use and disclosure of personal health information and punishes individuals or organizations that fail to keep patient information confidential;
  2. Gives patients greater access to their medical records; and
  3. Gives patients greater protection for their medical records.

(back to top)

When does the HIPAA Privacy Rule come into effect?

Although the rules start April 2003, policies and procedures should be in place prior to the rule effective date.

(back to top)

Who is covered by the HIPAA Privacy Rule?

  1. Healthcare providers (any person (entity) who furnish, bills or is paid for health care in the normal course of business);
  2. Health Plans (individuals or groups plan that provide or pay for medical care);
  3. Healthcare clearing houses (i.e., public or private entities, including a billing service, community health management information system);
  4. Business Associates who have access to patient records (someone who performs or assists the covered entity to perform a function or provides a service to a covered entity that involves the use or disclosure of individually identifiable health information).

(back to top)

Are there penalties for unauthorized release of information?

HIPPA establishes civil and criminal penalties for covered entities that misuse Personal Health Information (PHI).

  1. Civil Penalties – fines of up to $100 for each violation of a requirement per individual to a maximum of $25,000 for violations of any single requirement in a calendar year;
  2. Criminal Penalties for "Wrongful Disclosure:"
    a) Knowingly releasing patient information can result in a one year jail sentence and a $50,000.00 fine;
    b) Gaining access to health information under false pretenses can result in a five year jail sentence and a $100,000.00 fine;
    c) Releasing patient information with harmful intent or selling the information can lead to a 10 year jail sentence and a $250,000.00 fine.

(back to top)

What is HIPAA's relationship to other law governing confidentiality and State Laws?

  1. If State laws give patients confidentiality protections that exceed HIPAA, the law that gives greater protection will apply (AIDS/HIV State Law is more stringent than HIPAA).
  2. If State laws give residents broader access to their own health information than does HIPAA, the broader access will apply (i.e., HIPAA allows providers not to give residents access to some of their own health records under some circumstances, but OBRA gives resident access to all of their clinical records).

(back to top)

What is protected health information (PHI)? 

When a patient gives personal health information to a covered entity that said information becomes Protected Health Information (PHI).

Any information or patient information uses or disclosed by a covered entity in any form – oral, recorded, on paper or sent electronically, or any PHI that contains information that connects the patient to information.

Individually identifiable information is any information including demographic information that identifies an individual: and

  1. Is Created or received by a health care provider, health plan employer or health care clearing house;
  2. Relates to the past, present or future physical or mental health or condition of an individual;
  3. Describes the past, present or future payment for the provision of health care to an individual.

(back to top)

What makes information identifiable? 

Anything that can be used to identify a patient, such as:  names addresses, employers, relatives' names, dates of birth, telephone and/or fax numbers, e-mail addresses, Social Security or Medical Record numbers and photographs.

(back to top)

What are the rules for the use and disclosure of PHI? 

HIPAA creates rights that are intended to enable residents to understand and control how their health information is used or disclosed.  HIPAA's Privacy Rule is all about the use and disclosure of PHI.  With few exceptions, PHI cannot be used or disclosed by anyone unless it is permitted or required by the Privacy Rule.  PHI is used when the information is shared examined, applied or analyzed.  PHI is disclosed when it is released, transferred and in any way accessed by anyone outside the covered entity.

You are permitted to use or disclose PHI:

  1. For treatment, payment and healthcare operations (PTO):

    a.) Treatment – coordination and management of health care and related services, including coordination with other health care providers or third parties;

    b.) Payment – determining eligibility or coverage, coordination of benefits, billings, collection activities and claims management; and

    c.) Operations – quality assessment and improvement, case management and coordination of care and peer review.

  2. With authorization or agreement from the individual patient.
  3. For the disclosure of the individual patient.
  4. For incidental uses such as physicians talking to patients in a semi-private room.   

You are required to release PHI for use and disclosure:

  1. When requested or authorized by the individual – although some exceptions apply;
  2. When required by the Department of Health and Human Services for compliance or investigation. 

(back to top)

When is Authorization required? 

Signed authorization from the patient is required for the use or disclosure of PHI for all release other than for PTO.  Covered entities can communicate freely with patients about treatment options and health-related information.

(back to top)

When is Authorization not required? 

PHI may be used/disclosed without authorization but with patient agreement:

  1. To maintain a facility's patient directory;
  2. To inform family member or other identified person involved in patient's care or notify them on patient location , condition or death;
  3. To inform appropriate agencies during disaster relief.

PHI may be used/disclosed without patient agreement when there is an overriding public interest:

  1. Public Health activities related to disease prevention or control;
  2. To report victims of abuse, neglect or domestic violence;
  3. Health oversight activities such as audits, legal investigations, licensure or for certain law enforcement purposes or government functions;
  4. For coroners, medical examiners, funeral directors, tissue/organ donations or research;
  5. To avert a serious threat to health and safety;
  6. Court orders and subpoenas.

(back to top)

What is Minimum Necessary? 

The use/disclosure of PHI is limited to the minimum amount of health information necessary to get the job done.  Health care workers must make a reasonable effort to disclose or use only the minimum necessary amount of protected health information they need to do their jobs.

  1. Covered entities must develop polices and practice to make sure the least amount of health information is shared;
  2. Employers must be identified who regularly access PHI;
  3. The types of PHI needed and the conditions for access.

The Minimum Necessary Rule does not apply to use/disclosure of medical records for treatment since healthcare providers need the entire record to provide quality care.

Providers must establish policies and procedures to verify the identity and authority of anyone who request PHI if the provider does not know the person requesting information.

(back to top)

What is Privacy Notice? 

Patients have the right to adequate notice concerning the use/disclosure of their PHI on the first date of service.  Once a patient has received notice of his/her rights, covered entities must make an effort to get written acknowledgement of receipt of notice for the patient or document reason why it was not obtained.

(back to top)

What does the Privacy Notice contain?

  • Patient rights and covered entities' legal duties;
  • The notice should be made available to patient in print;
  • The notice should be displayed at the site of service;
  • The notice must be in plain language and must state:

"This notice describes how medial information about you may be used and disclosed and how you can get access to this information.  Please review it carefully."

(back to top)

What are Patient Privacy Rights? 

The Privacy Rule grants patients new rights over their PHI.  Rights include:

  1. Receive Privacy Notice at time of first delivery of service;
  2. Restrict use and disclosure, although the covered entity is not required to agree;
  3. Have PHI communicated to them by alternate means and at alternate locations to protect confidentiality;
  4. Inspect, correct and amend PHI and obtain copies with some exceptions;
  5. Request history of non-routine disclosures for six years prior to the request; and

Contact designated persons regarding any privacy concern or breach of privacy within the facility or at HHS.

(back to top)

What must Administration do to comply?

  1. Allow patients to see and copy their PHI;
  2. Designate a full or part-time privacy official responsible for implementing the programs;
  3. Designate a contact person or office responsible for receiving complaints;
  4. Develop a Notice of Privacy Practices document;
  5. Develop policies and safeguards to protect PHI and limit incidental use or disclosure;
  6. Institute employee training programs, so everyone knows about the privacy policies and procedures for safeguarding PHI;
  7. Institute a complaints process and file and resolve formal complaints;
  8. Make sure contracts with business associates comply with the Privacy Rule. 

(back to top)

How must facilities account for disclosure? 

Residents have the right to an accounting of disclosures made by the provider that are not made for the purpose of PTO.

    1. Accounting includes disclosure to business associates and state surveyors;
    2. The disclosure acknowledgement must include date of disclosure, name of person or entity to whom the disclosure was made and address if known;
    3. A brief description of the PHI disclosed;
    4. A brief statement of the purpose of the disclosure;
    5. The accounting must be provided within 60 days of receipt of the request and may include a "reasonable" charge for the accounting when requested more than once during any 12 month period.

(back to top)

What must you do when maintaining/using patient record?

    1. Do not leave patient information in an unattended area at provider location;
    2. When you are finished using patient information, return it to its appropriate location (Medical Records Department or nursing station file);
    3. When looking at electronic patient information, log off the system.  Do not leave the information visible on an unattended computer monitor;
    4. When discarding patient information, make sure that information is shredded or locked in a secure bin to be destroyed later;
    5. When faxing patient information, make sure you are faxing it to a dedicated fax machine in a secure location and make certain that the person the information is being faxed actually receives the fax.

(back to top)