HIPAA - Health Information Portability and Accountability Act

Enacted by Congress in 1996, HIPAA was created to improve the portability of patient records from one doctor to another. However many physicians view HIPAA as a “bureaucratic impediment to patient care” rather than an advancement in regulation standards to improve patient confidentiality. HIPAA establishes regulations for the use and disclosure of Protected Health Information (PHI).

PHI: Any information about health status, provision of health care, or payment for health care that can be linked to an individual. This is interpreted rather broadly and includes any part of a patient’s medical record or payment history.

Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs.

Title II of HIPAA requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. The Administrative Simplification provisions also address the security and privacy of health data.

The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data in the US health care system. Hospitals and clinics were required to hold training sessions for their staff about the regulations and rules set forth by HIPAA. Another requirement of the hospitals and clinics was the distribution of information to their patients regarding their involvement with the act.
One of the immediate concerns with HIPAA is its interference with everyday patient care, essentially being irrational and potentially burdensome. Such as discloser of any identifiable information that is disclose in an email. So if two doctors are discussing a patients health options over electronic messaging, (including emails, other chat software) the appropriate disclosure of identifiable information would be the patient’s medical record number rather than their name. A few othefunny1.jpgr hurdles generated from HIPAA would be the denial of vital patient documentation without the prior signed consent from the patient, who may be in too critical of a condition to communicate the proper consent. Pharmacies no longer accept faxed prescriptions or insurance authorization forms. A claim was made that a HIPAA consultant suggested remodeling of their facility to improve patient confidentiality, because the patient records were stored within reading distance from the designated patient sign in. HIPAA does not prohibit such forms of communication, as much as it makes aware the consequences of such communication, nor does it force remodeling of office space. Some believe that these misinterpretations are steadily declining over time and are just the result of implementing a new policy.

Requirements of the Federal Privacy Regulations

  1. The healthcare provider must make reasonable efforts to use and disclose only the minimum identifiable information needed t accomplish the intended purpose.
  2. Make efforts towards instituting reasonable safeguards against prohibited or incidental use or disclosure of private information.
  3. Patients must receive written notice of their privacy rights and the organizations privacy practices.
  4. Patients are allowed access to their medical records and have the right to request changes to be made.
  5. Clinicians and institutions must develop privacy policies and procedures and train all staff about the privacy regulations.
  6. Documented recognition of how individually identifiable health information may be used or disclosed for research and marketing and by business associates of the clinicians and institutions
  7. Violations and Consequences:
    1. Civil Penalties result in a minimum of $100 fine per infraction up to $25,000 per repeated action
    2. Criminal Penalties may be imposed for knowingly disclosing or obtaining protected information in violation of the privacy regulations. The max sentence is $250,000 fine and up to 10 years imprisonment

Ethical guidelines articulate the rational for overriding confidentiality in certain situations.

On February 16, 2006 HHS issued the Final Rule regarding HIPAA enforcement. It became effective on March 16, 2006. The Enforcement Rule sets civil money penalties for violating HIPAA rules and establishes procedures for investigations and hearings for HIPAA violations, however its deterrent effects seems to be negligible with few prosecutions for violations.

Increase portability of patient health records
PHI must be disclosed within 30 days
Patients can report privacy issues to the government
Enforces stiff penalties for violators
Limits who can view patient data
Includes administrative, physical, and technical safeguards

Exceptions to enforcement

There are a few very selective exceptions so the following the policies of HIPAA. The majority of these exceptions deal with law enforcement agencies, social services agencies, and also individual entities being granted access to protected health information in unique situations. Some of these exceptions include:
  • The release of protected health information if relevant to a court case.
  • If state or federal law requires the immediate release of specific information
  • An entity may disclose health information of an individual who is believed to be a victim of abuse
  • An individual may request information from an entity regarding any prior release (within the last six years) of the individual's health information
Related Terminology:

HIPAA, Enforcement Rule, The Unique Identifiers Rule, The Security Rule, The Transactions and Code Set Rule, The Privacy Rule

Web Resources:
Full Text of HIPAA (.pdf)
HIPAA Web Site
eHow Facts

Wikipedia: HIPAA
HIPAA Web Site

HIPAA and Patient Care, The Role for Professional Judgment
Bernard Lo, MD, Laurie Dornbrand, MD, MPH, Nancy N. Dubler, LLB
JAMA, April 13, 2005—Vol 293, No. 14 (Reprinted)
2005 American Medical Association. www.jama.com April 21, 2007