The Health Insurance Portability and Accountability Act (HIPAA) is a Federal statute, and associated regulations, that, among other things, control what healthcare providers and other “covered entities” do with “protected health information” (PHI). The HIPAA regulations are fairly straightforward, but there are a lot of them. There is a good summary here, with links to the relevant portions of the Code of Federal Regulations (CFR). This article covers only the basics.
Who Does HIPAA Apply To?
“Covered entities” are health care providers, health plans, and health information clearinghouses. The latter are usually aggregators of health information from hospitals, doctors, and the like. “Protected health information” is any information that relates to an individual’s past or present health status, treatment, and payments for any treatment an individual receives. Past, present, and future healthcare records are covered.
Data falls under HIPAA protection for 50 years after the death of the patient. The form in which the information exists does not matter – it can be written, oral, or electronic. If the information is in electronic form, additional requirements for protecting it apply.
Why Should I Worry About All This?
People are concerned about following HIPPA guidelines and they should be. It’s important to protect the personal and healthcare information of all patients. In addition, the Office of Civil Rights (OCR) within the Department of Health and Human Services (HHS) can impose large fines and other penalties for HIPAA violations. Hospitals and health systems have been fined in the millions of dollars for HIPAA violations. And HIPAA violations, if they make it into the news media, always create bad publicity.
What Can I Do To Remain Compliant?
Training of staff on HIPAA rules and practices is by far the most important step. The second is making sure that PHI stored in electronic form is protected. That involves things like:
- Using encryption when data is stored or transmitted
- Making sure that staff have only the access needed to do their jobs
- Making sure that access to systems is, at a minimum, protected by strong passwords
- Protecting records with the latest technology such as swipe cards or biometric identifiers
What Do I Have To Do To Conform To HIPAA?
You need to:
- Formulate your privacy practices
- Notify patients of privacy practices
- Obtain consent or authorization when required
- Make sure that your arrangements with business partners meet HIPAA requirements
- Make sure you distinguish your normal health care operations, where consent is not required, from disclosures, where consent or authorization is required
- Make sure you follow the HIPAA “security rule,” which covers PHI in electronic form
It goes without saying that your legal department needs to be involved in all of this. The Notice of Privacy form should inform patients and staff of what your practices and guidelines are. The notice should be given in written form to patients when they are first encountered.
“Arrangements with business partners” concerns companies that may have access to PHI in the course of providing services to a health care provider. These include companies that provide storage of documents, destruction of documents, or electronic handling of documents. You are required to make sure that they understand the HIPAA requirements and conform to them. You can think of it as the HIPAA requirements “flowing downhill” from you to your business associates.
What’s The Difference Between Consent And Authorization?
In many cases, no consent is required. This includes disclosure of PHI for treatment, payment, and health care operations. A covered entity may, but is not required to, seek consent from a patient for these purposes, but it is common to do so.
On the other hand, an authorization is required for any use of PHI other than the ones listed above. An authorization is more formal than a consent, must be written, and must contain several elements, which are covered here.
Authorization is required when the disclosure is for any purpose other than treatment, payment, or health care operations. This includes disclosure to a third party, such as a life insurance company, an employer, or a provider not affiliated with your healthcare organization.
Please note that electronic transmission of PHI is covered by the authorization requirement as well. If authorization to send the information on paper is needed, authorization to send it electronically is needed as well.
What Are The Takeaways?
- HIPAA compliance is not optional.
- Penalties for violating it can be very costly.
- HIPAA applies to PHI in any form – paper or electronic.
- Obtaining consent is generally a good idea; authorizations are required.
- Depending on the services your business partners provide to you, they may be required to conform to HIPAA as well.
- It is always better to err on the side of caution when dealing with HIPAA.
If you still have questions, be sure to visit the HIPAA website. Today, there are many organizations that can help you learn about and comply with HIPAA guidelines. For instance, many managed IT services providers have tools to help with compliance.