HIPAA is a sectoral law that was first developed in 1996, to enact several changes in the healthcare industry. Among these changes are a security rule and privacy rule which protect personal health information.
Protected Health Information is any personally identifiable health information communicated in any form–oral, paper or electronic–that is maintained by a covered entity as defined by HIPAA (see below.) Personally identifiable health information may include a person’s age, gender and other demographic information as well as information about their diagnosis; prognosis; their past, present or future medical health or conditions; and payment for the provision of past, present or future medical care. Any information that may potentially identify an individual personally is considered to be protected health information (PHI.)
In general any entity that handles protected health information must comply with HIPAA regulations. However, the law specifically mentions the following all of which are considered “covered entities” :
- Health Care Providers – All hospitals, doctors, nurses, health care workers and any other healthcare service providers
- Health Plans– Medicare and Medicaid; private insurance companies; group health plans
- Business Associates– Any third part that may handle protected health information as a service, such as billing, data analysis, data aggregation, etc.
The HIPAA Privacy rule attempts to strike a balance between the need for disclosure among health care professionals to ensure quality care, payment and maintain public security, while still protecting the identity and personal health information of the patient.
Under the Privacy Rule a patient has the right to:
- Notice of a covered entity’s privacy practices which include the type of information collected and its intended use.
- Consent or object to the disclosure of protected health information to third parties other than those disclosures granted to business associates for the rendering of treatment or services. The Privacy Rule requires that a signed authorization from the individual be placed on record for each specific third party with which the patient wishes to share their information.
- Access and amend their protected health information that an entity has on record about them. A minimal charge may be assessed to cover expenses associated providing access or changes to the their records.
- Limited disclosure of protected health information. Disclosure must be limited to that which is minimally necessary. When a heath care provider or plan shares personal health information with a business associate for the purposes of rendering a service, (ie: billing, data analysis, research, etc) the covered entity must ensure that the business associate or third party will maintain the same standards of privacy.
- Safeguarding of their protected health information. All entities handling personal health information must maintain the necessary physical, technical and administrative safeguards to protect the confidentiality, integrity and security of the patient’s information.
The Privacy Rule makes provisions for the disclosure of protected health information without the limitations outlined above for the following situations:
- Information needed for public health activities and safety
- In coordination with law enforcement of judicial activities and proceedings
- Certain research purposes
- Special Government functions
HIPAA’s Security Rule deals specifically with the protection of personal health information in its electronic form, which includes data stored on computer hard drives and magnetic or digital storage devices.
The Security Rule requires that covered entities take reasonable measures to:
- Ensure the confidentiality, integrity, and availability of electronic health information
- Protect against the unauthorized access, use or disclosure of protected health information.
- Enforce HIPAA compliance in the work force.
Further more the Security Rule requires:
- The creation of an individual entity to be responsible for implementing and enforcing the Security Rule
- Initial and periodic risk assessments to determine the efficacy of current safeguards, evaluate new threats and implement the necessary protections to maintain the confidentiality and integrity of the data.
- The creation of an ongoing training program to educate the workforce on complying with the Security Rule
- The Covered entity to incorporate the Security Rule into Business Associate Contracts to ensure that all business associates maintain an equivalent level of protection.
The Health Care Portability and Accountability Act plays a significant role in the protection of the privacy of health information. HIPAA is a complex and far reaching law which pertains all professionals involved in the health care field. Education in HIPAA compliance must be ongoing, and compliance closely monitored to ensure the protection of health information.
CIPP/G Candidate Preparation
In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:
- U.S. Public and Private Sector General Laws including HIPAA (I.A.b.i.)