++
Ensuring strong privacy protection is vital to maintaining public trust in the healthcare system. Of particular concern is sharing health information with other entities. For example, consulting with a specialist or other health care provider or insurance program may be necessary. To that end, The Health Insurance Portability and Accountability Act (HIPAA) of 1996 has two broad provisions: (1) defining procedures and guidelines for “covered entities,” protecting the privacy and security of individually identifiable health information and (2) setting civil and criminal penalties for guideline violations. The following are entities covered by the privacy law: health plans (insurance companies, HMO, Medicare/Medicaid, company health plans); healthcare providers (physicians, dentists, pharmacies, nursing homes, hospitals, clinics, nonphysician mental health professionals); and business associates of covered entities (billing companies, IT specialists, insurance forms processors).
++
To maintain patient privacy, the HIPAA codified four rules: the Privacy Rule, the Security Rule, the Unique Identifiers Rule, and the Enforcement Rule. The Privacy Rule regulates the use and disclosure of Protected Health Information (PHI). PHI is broadly defined as an individual’s medical records and payment history. All medical records, be they written, oral, or electronic, are covered by the law. The Privacy Rule requires appropriate safeguards to protect the privacy of PHI, and sets limits and conditions under which PHI can be shared. Many organizations have health information about individuals but are not bound by the Privacy Rule. These include life insurers, workers compensation carriers, state agencies (child protective service), and law enforcement. That is not to say that these entities can necessarily reveal PHI; rather, these organizations are bound to other regulations that restrict what they reveal. The Privacy Rule sets national standards to protect PHI in all forms. The rule requires appropriate safeguards to protect PHI and sets conditions on the use and disclosure of PHI without patient consent.
++
The Security Rule establishes national standards to protect PHI in electronic form only. It requires administrative, physical, and technical safeguards to protect the integrity, confidentiality, and availability of electronic PHI.
++
The Breach Notification rule requires HIPAA-covered entities or their covered business associates to provide notification of a breach of unsecured PHI. The act requires the covered entity to notify the affected individual(s) and the Secretary of the Department of Health and Human Services. If the breach involves more than 500 people, the notification to the secretary must occur within 60 days of the entity becoming aware of the breach. If fewer than 500 people are affected, the notification must occur within 60 days of the end of the calendar year in which the breach occurred. A “breach” is defined as an unauthorized acquisition, access, or disclosure of PHI.
++
The Enforcement Rule contains provisions relating to compliance and investigations of HIPAA violations and when necessary, the imposition of civil/monetary penalties or referral to the ...