Health Insurance Portability and Accountability Act of 1996 is a law enacted to combat fraud, waste, and abuse in health insurance and the delivery of healthcare services; to improve access to long-term care services and coverage, and simplify the administration of health insurance. The program sets standards for the use and disclosure of protected health information along with measures to ensure the secure transmission and storage of medical records and other individually identifiable or demographic information. The regulations protect medical records and other individually identifiable health information, whether it is on paper, in computers or communicated orally. Key provisions of these new standards include:
- Access to Medical Records. Patients generally should be able to see and obtain copies of their medical records and request corrections if they identify errors and mistakes.
- Notice of Privacy Practices. Covered health plans, doctors, and other health care providers must provide a notice to their patients how they may use personal medical information and their rights under the new privacy regulation. Patients also may ask covered entities to restrict the use or disclosure of their information beyond the practices included in the notice, but the covered entities would not have to agree to the changes.
- Limits on Use of Personal Medical Information. The privacy rule sets limits on how health plans and covered providers may use individually identifiable health information. In addition, patients would have to sign a specific authorization before a covered entity could release their medical information to a life insurer, a bank, a marketing firm or another outside business for purposes not related to their health care.
- Prohibition on Marketing. The final privacy rule sets new restrictions and limits on the use of patient information for marketing purposes. Pharmacies, health plans and other covered entities must first obtain an individual’s specific authorization before disclosing their patient information for marketing.
- Stronger State Laws. The new Federal privacy standards do not affect State laws that provide additional privacy protections for patients. The confidentiality protections are cumulative; the privacy rule will set a national “floor” of privacy standards that protect all Americans, and any State law providing additional protections would continue to apply. When a State law requires a certain disclosure — such as reporting an infectious disease outbreak to the public health authorities — the Federal privacy regulations would not preempt the State law.
- Confidential communications. Under the privacy rule, patients can request that their doctors, health plans, and other covered entities take reasonable steps to ensure that their communications with the patient are confidential.
- Complaints. Consumers may file a formal complaint regarding the privacy practices of a covered health plan or provider.
HIPAA for Health Plans and Providers
The privacy rule requires health plans, pharmacies, doctors, and other covered entities to establish policies and procedures to protect the confidentiality of protected health information about their patients. These requirements are flexible and scalable to allow different covered entities to implement them as appropriate for their businesses or practices. Covered entities must provide all the protections for patients cited above, such as providing a notice of their privacy practices and limiting the use and disclosure of information as required under the rule. In addition, covered entities must take some additional steps to protect patient privacy:
- Written Privacy Procedures. The rule requires covered entities to have written privacy procedures, including a description of staff that has access to protected information, how it will be used and when it may be disclosed. Covered entities generally must take steps to ensure that any business associates who have access to protected information agree to the same limitations on the use and disclosure of that information.
- Employee Training and Privacy Officer. Covered entities must train their employees in their privacy procedures and must designate an individual to be responsible for ensuring the procedures are followed. If covered entities learn an employee failed to follow these procedures, they must take appropriate disciplinary action.
- Public Responsibilities. In limited circumstances, the final rule permits — but does not require — covered entities to continue certain existing disclosures of health information for specific public responsibilities. These permitted disclosures include: emergency circumstances; identification of the body of a deceased person, or the cause of death; public health needs; research that involves limited data or has been independently approved by an institutional review board or privacy board; oversight of the health care system; judicial and administrative proceedings; limited law enforcement activities; and activities related to national defense and security. The privacy rule generally establishes new safeguards and limits on these disclosures. Where no other law requires disclosures in these situations, covered entities may continue to use their professional judgment to decide whether to make such disclosures based on their own policies and ethical principles.
HIPAA Considerations for Prehospital Care Providers
Anyone involved in prehospital emergency medical service must take precautions to ensure that a patient’s protected health information is protected and communicated to others strictly on a “need-to-know basis” — or as defined in the HIPAA standards, “Minimum Necessary.” The regulation does not specifically state the mode of disclosure/transmission, so it is acceptable to pass on information in a written form, oral communication — discretion and a low voice is always advised when communicating orally and in a public setting, or via radio for the purposes of providing a radio “patch” to the receiving medical facility. In order to protect protected health information during a radio patch, information should be limited to what the receiving facility needs to know about the patient to prepare for the patent’s arrival and treatment.
- Exchanging Protected Health Information with Medical Facilities
As required under the Ryan White Act, prehospital care providers are mandated to provide a copy of their patient care report to the receiving medical facility upon arrival. This practice is permitted under HIPAA and does not violate the standards established in the privacy rule. Additionally, the HIPAA standards published in the final rule permit covered entities to share and exchange information with each other for the purposes of providing care/treatment, obtaining information for payment, and using the information for health care operations (i.e., quality assessment/quality improvement, education, etc.) without the consent or authorization of the patient or the patient’s personal representative. Thus medical facilities may provide prehospital care providers with face sheets and other records for these purposes without patient consent or authorization.
- Safeguarding Patient Information
As a standard practice, all covered entities must have systems in place that assures the secure handling and safe storage of patient’s records containing protected health information.