HIPAA stands for Health Insurance Portability and Accountability Act. It is a federal law whose purpose is to protect the privacy of personal medical information that is shared with doctors, nurses, hospitals, insurance companies and other health care providers. HIPAA’s Privacy Rule puts new limits on how personal medical information is used and shared, gives client the right to access their medical records and puts greater protection on those medical records. In the past personal health information was sold or shared to make decisions regarding employment, for marketing purposes, to coordinate care for disease management and to help determine drug costs. This was done without notice to or consent of the client. The Privacy Rule applies to all forms of personal health information – written, electronic or oral.
Who has to follow the HIPAA Rules? All health care providers – doctors, nurses, aides, insurance companies, health care agencies, hospitals, laboratories and business associates of these persons must follow the HIPAA rules.
What is personal health information? Personal Health information includes any information regarding the past, present or future physical or mental health or condition of a person that is used for treatment or payment of healthcare. The HIPAA rules include additional information that is protected by the privacy rule – any information that can be used to identify individuals. This might be the name, social security number, address, health insurance numbers, doctor’s name, diagnosis, etc. This information can connect a person to specific health information. Protected Health Information (PHI) is that personal health information that is transmitted or stored electronically or in any form other than hard copy
What does The Agency have to do to meet the new regulations? The Agency must do several things in order to fulfill its legal obligations. We must provide client and employee education about the privacy rights and how client information can be used. Policies and procedures must be developed for the client and employee to follow. All employees must be trained about the policies and procedures. Most important of all, employees must be aware of the way that they contribute to the maintenance of client confidentiality – not discussing cases with people who are not involved in the client’s care, keeping records secure and out of the sight of people who do not work for the agency, properly destroying client documents that are no longer needed or pieces of paper that have client information written on them, disclosing only the minimum amount of information that is needed, taking other measures to protect client confidentiality such as learning about practices.
What information does the client need to know? Clients will be informed of the new privacy rule and their rights under this rule, through a “Notice of Privacy Rights”. The nurse will give this document to the client at the time of the first nursing visit and will ask the client to sign a consent form to use and share the PHI for treatment, payment and health care operations. This consent form must be kept on file for six years.
How can PHI be used and disclosed legally? In order for client to receive treatment, have the treatment paid for by their insurance company and for the health care agency to operate, protected health information (PHI) must be used and disclosed by the people involved in the care of the client. PHI is used when it is shared, examined, applied and analyzed. PHI is disclosed when it is released, transferred or accessed in any way by outside the health care agency. PHI maybe used or disclosed in the following instances: for treatment, payment or health care operations; with authorization or agreement from the client; for disclosure to the client; for incidental uses such as doctors talking to clients in a hospital room or on the phone or a nurse who is taking care of the client. For other uses or disclosures, the client must sign a special authorization form.
What requirements are related to the special authorization form? This form must be signed by the client when information must be used or shared with a third party for purpose not related to treatment, payment or health care operations. The authorization may be revoked by the client at any time. Each authorization must give a specific description of the information to be used or shared, the name of the person who is getting the information, the purpose of the disclosure, date of expiration of authorization and must be written in plain English. The information that is share must be minimum necessary.
Are there other times when PHI can be disclosed without obtaining a special authorization? Yes, PHI may be legally disclosed without obtaining a special authorization from the client for the purpose of audits, civil and criminal investigations, law enforcement, judicial and administrative proceedings, reporting public health and safety and suspected/known cases of abuse, neglect or domestic violence and other legal requirements. In emergency circumstances PHI may be disclosed. PHI may also be shared with relatives, coroners and medical examiners.
Can I tell if the client says I can? Disclosure may be made to family members, friends or other people that clients indicate is involved in their care or payment of health care unless the client objects in whole or part. In any other situation not described previously, you need to get the client’s written authorization to disclose any PHI.
What if “they” are listening? An incidental use or disclosure is a secondary use of disclosure that cannot reasonably be prevented, is limited in nature and occurs as a result of an otherwise permitted use or disclose. They are permitted only to the extent that reasonable safeguards have been applied and do not disclose any more of the PHI than is necessary to accomplish the permitted use or disclosure – this is known as the Minimum Necessary Standard. An example might be the disclosure about a client by a home health aide in the client’s home that might be overheard by the other family members not involved in the client’s care.
What is “minimum necessary rule”? Use or disclosure of PHI must be limited to the smallest amount that is needed to get a job done. This means that not all employees may have the same amount of formation about a client. Each employee should have only the information that is necessary for them to carry out their job. This rule does not apply to use or disclosure of medical records for treatment purposes since the health care provider needs access to the entire record to provide quality care.
What happens if an individual or agency fails to follow these laws? Failure to comply may result in civil and/or criminal penalties.
Does HIPAA take precedence over other existing confidentiality laws? In cases where state laws are stricter than the HIPAA rules, the state laws take precedence. An example is the HIV confidentiality laws.
Does HIPAA have any other part beside the Privacy Rule? Yes, there are three parts to the HIPAA regulations. You have already heard about the Privacy Rule. HIPAA also sets standards for the electronic transmission of PHI if order to standardize how this is done throughout the country. There will also be a Security Rule which will create standards governing the security of protected health information (PHI); these regulations have not been written yet.