The Basics of HIPAA
What is HIPAA?
As part of our promise at South Peninsula Hospital to give our patients the highest quality health care, we have always kept information about their health confidential, sharing it only with people who need the information to do their jobs.And now only is it our promise, it is the law.The Privacy Rule ensures that personal medical information you share with doctors, hospital and others who provide and pay for healthcare is protected. The Health Insurance Portability and Accountability Act of 1996, or “HIPAA” for short gives patients the right to gain access to their records, request amendments to their health information, and limit the ways the facility uses their information. Alaska state law already provides some of these rights, but HIPAA makes them a federal mandate for the first time.
What brought about this law?
HIPAA is a broad law that covers a variety of issues. One goal was to enable people to easily move from one health insurance plan to another as they change jobs or become unemployed and allow providers treating patients to share information more easily.
The law requires health care providers and payers to use standard formats for common transactions such as submitting an insurance claim on a patient’s behalf. Today, with e-mail and access to the Internet, it is much easier for providers to share records, but it is also much easier for people to misuse the information they contain.
That’s why the law includes sections with requirements for protecting patient privacy and confidentiality and ensuring security of health information. Under the HIPAA privacy and security rules it is illegal under most circumstances to fail to adequately protect protected health information from unauthorized release or to release protected health information without permission.
Who is covered by the HIPAA Privacy Rule?
Under Section 1172(a) of the Social Security Act, these regulations apply to health plans, a health care clearinghouses, and health care providers who transmit any health information in electronic form in connection with a health care transaction. HIPAA also indirectly affects business associates who have access to protected patient information.
What is considered Protected Patient Information?
Protected patient information (PHI) includes all identifying information patients provide and information about their treatment, including the following: name; address; age; social security number; diagnosis; medical history; medications; billing information; and physician’s personal notes maintained by a covered entity, regardless of form, written, oral or electronic.
HIPAA’s Privacy Rule is all about the use and disclosure of PHI. Obviously, doctors, nurses, therapists, dietitians, and others use this information about patients to determine how to treat them. Coders and billing department employees use confidential information to bill patients, their insurance companies, Medicare, or Medicaid for services. Staff performing quality improvement activities may review confidential information to make sure patients are receiving high quality care.
What is Minimum Necessary?
HIPAA requires health care employees to use or share only the “minimum necessary” information they need to do their jobs effectively. Covered entities must develop policies and practices to make sure the least amount of health information is shared. Each employee must be identified who regularly access PHI along with the types of PHI needed and the conditions for access.
The minimum necessary requirement does not apply to treatment. Clinical staff can look at their patient’s entire record and freely share information with other clinicians caring for that patient.
When is Authorization Required?
The Privacy Rule requires a signed authorization from the patient to use or disclose their PHI for purposes other than treatment, payment or healthcare operations. An authorization must be written in specific terms. It may allow use and disclosure of PHI by the covered entity seeking the authorization or by a third party. The authorization must include:
- A description of the PHI to be used/disclosed, in clear language
- Who will use/disclose PHI and for what purpose
- Whether or not it will result in financial gain for the covered entity
- The patient’s right to revoke the authorization
- A signature from the patient/legal guardian whose records are used/disclosed, and a date of signing
- An expiration date.
A copy of our Authorization to Release Protected Health Information and Xray Authorization forms and a copy of the Revocation of Authorization form can be downloaded. SPH policy HW-79 outlines the fee schedule for copy service.
When is Authorization Not Required?
PHI can be used/disclosed without authorization, but require patient agreement, for the following reasons:
- To maintain a facility’s patient directory
- To inform family members or other identified persons involved in the patient’s care, or notify them on patient location, condition or death
- To inform appropriate agencies during disaster relief efforts.
Other permitted uses/disclosures that do not require patient authorization include:
- Public health activities related to disease prevention or control
- To report victims of abuse, neglect, or domestic violence
- Health oversight activities such as audits, legal investigations, licensure or for certain law enforcement purposes or government functions
- For coroners, medical examiners, funeral directors or tissue/organ donations
- To avert a serious threat to health and safety.
- Statewide Health Information Exchange
What is the Notice of Privacy Practices?
Patients have the right to adequate notice concerning the use/disclosure of their PHI on the first date of service delivery, or as soon as possible after an emergency. A new notice must be issued when a facility changes their privacy practices. Registration staff at SPH will ask all patients at the time of registration of they would like a printed copy of our Notice of Privacy Practices.
Once a patient has received notice of his or her rights, covered entities must make an effort to get written acknowledgment of receipt of notice from the patient, or document reasons why it was not obtained. Copies must be kept of all notices and acknowledgments.
This notice also tell patients that they have the right to see their own records, obtain copies of them, and request amendments to them. HIPAA calls for covered entities to designate a contact person or office for receiving complaints of privacy violations. For further information on these topics please contact SPH’s Privacy Officer at 907-235-8101.
What are the consequences for not complying?
Breaking HIPAA’s privacy or security rules can bring civil or criminal penalties. Civil penalties are fines of up to $100 for each violation of the law per person to a limit of $25,000 for each identical requirement. Criminal penalties can include not only legal fines, but also jail time. The penalties increase with the seriousness of the offense. These penalties can be as high as a $250,000 fine or a prison sentence up to 10 years.
HIPAA protects our patient’s fundamental rights to privacy and confidentiality. At SPH the Privacy Rule is everyone’s business, from the CEO to the healthcare professional to the maintenance staff.