Complying with the Health Insurance Portability and Accountability Act. Privacy standards.

The Privacy Rule: Limits the use and disclosure of PHI to purposes of treatment, payment, or routine health care operations. Requires covered entities to provide advance notice to the public of its policy governing disclosure of PHI. Requires entities covered by the Standard to secure general client consent to use and to disclose PHI for treatment, payment, or routine health care operations and to obtain specific client authorization to use or to disclose PHI for all other purposes unless the disclosure is specifically permitted without consent or authorization (e.g., a covered entity may disclose PHI to a health care oversight agency such as the Office of the Inspector General without first obtaining client authorization). In certain situations, a covered entity need only obtain client agreement to disclose PHI which may be oral or inferred from the circumstances surrounding the disclosure. For example, a covered entity could disclose PHI to a relative caring for the individual who is the subject of the health information. Expects covered entities to take measures to protect PHI from both inadvertent and deliberate misuse and disclosure. Requires, except in certain circumstances, the amount of PHI disclosed on any occasion to be limited to the minimum necessary to achieve the purpose of the disclosure. Gives individuals more control of their health information by permitting them to review and amend health information pertaining to themselves and to demand an accounting of persons to whom their health information has been disclosed. Establishes terms under which a covered entity may disclose PHI to a business associate. Permits states to maintain state laws that are more stringent than the Privacy Rule. The statute provides for significant civil and criminal penalties for failure to comply with the Standards. Violations are punishable by fines as much as $250,000 and 10 years imprisonment. The HHS, Office of Civil Rights is charged with enforcing the Standards. The HHS is expected to issue a single Enforcement Rule applicable to all three of the HIPAA Administrative Simplification Standards. Many worksite records will not be protected under the HIPAA Privacy Rule because employers are not covered entities and few occupational health professionals meet the criteria of being considered a covered entity. Nevertheless, occupational health professionals need to be knowledgeable about the application of HIPAA in the occupational health care setting. Furthermore, given that the Rule does not preempt state privacy laws that are more stringent than the Standards, occupational health professionals should monitor legislative activity related to privacy in the states in which they practice. To date, Oregon, Texas, and New Jersey have broadened HIPAA's definitions to create more covered entities and services.     

HIPAA: past, present and future implications for nurses

Congress enacted Health Insurance Portability and Accountability Act (HIPAA) in 1996 to limit the ability of an employer to deny health insurance coverage to employees with preexisting medical conditions. The law also directed the U.S. Department of Health and Human Services to develop privacy rules, including, but not limited to, the use of electronic medical records. This law has increased patient privacy, but in doing so has added to the financial burden, including personnel costs in health care. Nurses stand at the forefront in the resolution of the dilemma of patient privacy versus health care expediency. The purpose of this article is to assist nurses and other health care professionals to better understand their responsibilities regarding HIPAA regulations. First, responses to HIPAA regulations by covered entities to date, along with responses which are still needed, will be described. It will be noted that HIPAA is a work in progress and not a specific act. Next, future initiatives having HIPAA implications will be presented. In conclusion, the need for all covered entities and their personnel to look broadly at HIPAA as initiating a new way of work in health care will be emphasized.     

They're real and they're here: the new federally regulated privacy rules under HIPAA.

The purpose of the HIPAA Privacy Rules was to create national standards to protect the privacy of personal health information. As of April 14, 2003, all covered health care entities must comply with the newly implemented national standards. The importance of staying updated with the law, while particularly important for the patient's privacy, is just as important for the nurse to avoid civil punitive damages and possible criminal charges.     

The Health Insurance Portability and Accountability Act Privacy Rule: a practical guide for researchers

BACKGROUND: The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, intended to address potential threats to patient privacy posed by the computerization and standardization of medical records, provides a new floor level of federal protection for health information in all 50 states. In most cases, compliance with the Privacy Rule was required as of April 2003. Yet considerable confusion and concern remain about the Privacy Rule and the specific changes it requires in the way healthcare providers, health plans, and others use, maintain, and disclose health information. Researchers worry that the Privacy Rule could hinder their access to health information needed to conduct their research. OBJECTIVES: In this article, we explain how the final version of the Privacy Rule governs disclosure of health information, assess implications of the Privacy Rule for research, and offer practical suggestions for researchers who require access to health information. CONCLUSION: The Privacy Rule is fundamentally changing the way that healthcare providers, health plans, and others use, maintain, and disclose health information and the steps that researchers must take to obtain health data. The Privacy Rule requires researchers who seek access to identifiable health information to obtain written authorization from subjects, or, alternatively, to demonstrate that their research protocols meet certain Privacy Rule requirements that permit access without written authorization. To ensure continued access to data, researchers will need to work more closely than before with healthcare providers, health plans, and other institutions that generate and maintain health information.     

HIPAA--clinical and ethical considerations for nurses

Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) to protect patients' basic rights to privacy and their control over the disclosure of their personal health information. Advances in and the more widespread use of communication technology were increasing the public's concerns over the ease with which their health information could be transmitted, how protected that information was during such transmissions, and their lack of approval for the use of that information by known and unknown third parties. This article, the first of two papers focusing on HIPAA, discusses HIPAA from the clinical perspective and focuses primarily on the HIPAA Privacy Rule. Under what circumstances can a covered entity disclose protected health information? What are the ethical issues inherent in HIPAA? What does HIPAA require of covered entities? What are the implications of HIPAA for professional nurses? The goal of HIPAA is to ensure the protection of confidential health information through having appropriate security systems to guard against unintentional disclosure of that information.     

Finding HIPAA in your soup

From the time when compliance with the Health Insurance Portability and Accountability Act (HIPAA) "privacy rule" became mandatory in April 2003 through April 2005, 12,542 complaints of privacy violations were filed nationally. But what constitutes a violation? Widespread confusion about the rule unnecessarily complicates nurses' relationships with patients and sometimes affects their clinical performance. A nurse responsible for HIPAA compliance at one hospital untangles the many threads of HIPAA's privacy rule and details its implications for nurses' everyday work.     

Stealth law: HIPAA's back-door regulation of "business associates"

The final HIPAA privacy modifications have substantially lightened the administrative, compliance, and liability loads borne by health plan and provider covered entities. Unlike under the original Clinton rules, for example, covered entities are no longer required to obtain patient consents, to monitor and mitigate the information practices of their business associates, or to treat patients as third-party beneficiaries of their business associate contracts. But the final modifications have done almost nothing to lessen the huge burdens and expense that will soon be imposed on those managed care entities that are merely business associates, a category that Congress never authorized HHS to regulate.     

Quality consciousness...auditing for HIPAA Privacy Compliance

The Health Insurance Portability and Accountability Act (HIPAA) privacy deadline has passed. Now it is essential to comply with the regulations. The stakes are high; therefore, a HIPAA Privacy Compliance Program must be part of an organization's quality initiatives. This article provides guidelines for the challenges of continual program improvement, successful cultural change, and effective monitoring of the existing program. Healthcare organizations will attain compliance goals through internal audits on the processes, policies, and training efforts of their HIPAA program.     

Final HIPAA security regulations: a review

This article examines the national standards for safeguarding the confidentiality, integrity, and availability of electronic protected health information under the final Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA). The standards require entities covered by the rule to implement basic safeguards to protect electronic protected health information from unauthorized access, alteration, deletion, and transmission. The final privacy rule applies to protected health information in any form.     

Evaluating HIPAA compliance: a guide for researchers, privacy boards, and IRBs

The purpose of this article is to describe implications of the Health Information Portability and Accountability Act of 1996 (HIPAA) for nurses engaged in human and health services research. In general, a person's private health information (PHI) may only be disclosed for treatment, payment, and business procedures related to healthcare service delivery. Access and/or use of the same information for research purposes necessitates another layer of review and may require a separate process of authorization. A brief historical overview of regulatory requirements regarding health information privacy and security standards for the electronic transformation of data and protection of electronically kept medical records is discussed and related to the role and responsibilities of researchers and organizations where research is conducted. In addition, a generic document template adaptable for use by an individual or organization is presented that can provide a quick, systematic review of HIPAA compliance when a research proposal is being developed or is received that seeks access to PHI.     

HIPAA Privacy 101: essentials for case management practice

The Health Insurance Portability and Accountability Act (HIPAA) has significant impact on the delivery of healthcare in the United States. The Administrative Simplification (AS) requirements of HIPAA are aimed at reducing administrative costs and burdens in the healthcare industry. The core components of HIPAA's AS requirements address healthcare transactions, code sets, security, unique identifiers, and privacy of health information. HIPAA's privacy standard limits the nonconsensual use and release of private health information, gives patients new rights to access their medical records and to know who else has accessed them, restricts most disclosure of health information to the minimum needed for the intended purpose, establishes new criminal and civil sanctions for improper use or disclosure, and establishes new requirements for access to records by researchers and others. This article focuses on HIPAA's privacy requirements as related to case management of workers compensation populations, the treatment of protected health information, and how case managers can ensure they provide appropriate services while navigating the requirements of HIPAA's privacy standard.     

Health Insurance Portability and Accountability Act of 1996: just an incremental step in reshaping government

In 1996, the federal Health Insurance Portability and Accountability Act (HIPAA) was adopted as a step toward reshaping government health care. Referred to as the HIPAA, it enables portability of health care insurance coverage for workers and their families when they change or lose their jobs (Title I), sets a standard or benchmark for safeguarding electronic and paper exchange of health information, and requires national identifiers for providers, health plans, and employers (Title II). The final policy implementation rule outlines the entities affected by the legislation as health care providers, health plans, health care clearinghouses, and vendors offering computer software applications to providers and those billing for health services (Health Privacy Project, 2002; Public Law 104-191 1996; Rules and Regulations, 2003; U.S. Department of Labor, 2005). Aside from the federal law, some entities and even states have set standards more stringent than those promulgated by the federal mandate (U.S. Department of Health and Human Services 2004; 2005a).     

Health information privacy protection: crisis or common sense?

Concerns about the protection of personally identifiable information are not unique to the health care industry; however, consumers view their medical records as more "private" than other information, such as financial data, because involuntary disclosure can affect jobs or health insurance status. This paper briefly touches upon new sweeping federal privacy standards mandated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The article outlines who and what is covered under the new rules, considers how practitioners can approach compliance with common sense, addresses concerns related to risk management, discusses consumer health privacy issues, and notes the difficulty of evaluating these rules and regulations. The article also looks at some unique privacy issues facing telemedicine and telehealth practitioners.     

The new HIPAA law on privacy and confidentiality

This article details what nurse administrators must know about the Health Insurance Portability and Accountability Act (HIPAA) that rewrites the rules on privacy, medical record confidentiality, and protected health information (PHI). Nurse administrators are responsible for knowing what information can be given to patients, families, the coroner, the media, courts, police, clergy, and attorneys. Implementation will require education to understand the intricacies of the law. The law carries substantial penalties for failure to comply.     

Understanding privacy in occupational health services

The aim of this study was to gain a deeper understanding of privacy in occupational health services. Data were collected through in-depth theme interviews with occupational health professionals (n = 15), employees (n = 15) and employers (n = 14). Our findings indicate that privacy, in this context, is a complex and multilayered concept, and that companies as well as individual employees have their own core secrets. Co-operation between the three groups proved challenging: occupational health professionals have to consider carefully in which situations and how much they are entitled to release private information on individual employees for the benefit of the whole company. Privacy is thus not an absolute right of an individual, but involves the idea of sharing responsibility. The findings open up useful new perspectives on ethical questions of privacy and on the development of occupational health practices.     

Caring for patients while respecting their privacy: renewing our commitment

In 1996, HIPAA or the Health Insurance Portability and Accountability Act (HIPAA) was enacted into law. This law has had a significant impact on the health care industry including the need for numerous changes in the way we communicate with our patients, their families, and with each other. This law provides rights to patients and safeguards for employees. It affects everyone in a health care setting. Since the days in which the Nightingale Pledge was written, nursing has stressed the importance of confidentiality regarding all patient matters. The current Code of Ethics for Nurses ANA, 2001) is clear in intent and meaning as it relates to the nurse's role in promoting and advocating for patient's rights related to privacy and confidentiality. For nurses, HIPAA is an endorsement of our previously articulated responsibility to our patients. The purpose of this article is to remind nurses of the importance of keeping patient information private. This reminder will come first as HIPAA is reviewed and the implications of this Act for nurses is discussed. The reminder will also come as challenges to maintaining privacy and strategies for promoting privacy are presented.     

HIPAA and nursing education: how to teach in a paranoid health care environment

Nursing faculty are affected by the paranoia that exists today as health care institutions individually interpret the Privacy Rule contained within the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Because nursing students and faculty have been thrust into this environment, faculty must understand the Privacy Rule to ensure that both they and their students are in compliance. In this article, we provide a framework for faculty as they take a proactive leadership stance in relation to HIPAA. A multifaceted approach is necessary as faculty begin to navigate the challenges imposed by HIPAA. Strategies discussed include informing faculty and educating students, while developing a value system related to confidentiality issues and creating a safe environment for sharing information.     

HIPAA: a few years later

This article addresses the impact of the Health Insurance Portability and Accountability Act (HIPAA) several years after implementation. The rationale for HIPAA and a clarification of key terms, including covered entities, personal health information, and designated record sets, is reviewed. The impact of HIPAA at work, including increased cost and the complexities of educating employees and patients is assessed. Implications for homeland security, disaster planning, unique patient identifiers, the compilation of personal health records, and research are discussed.     

Get on board with HIPAA privacy regulations

To avoid legal penalties, health care providers must comply with the HIPAA privacy regulations by April 14, 2003.     

HIPAA hoopla: privacy and security of identifiable health information.

The privacy and security provisions of the Health Insurance Portability and Accountability Act (HIPAA) are changing the standards for how identifiable health information is handled. This article explains HIPAA and how it interacts with the Family Educational Right to Privacy Act. The advent of HIPAA and the attention given to privacy and security of identifiable health information provides the opportunity for school nurses, school districts, and administrators to revisit and update how they handle student health information. Resources to assist in establishing policies, procedures, and practices that protect student and family health information are identified.