Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA is a federal privacy law enacted on August 21, 1996. The legislation mandates health plans, providers and healthcare clearinghouses to take a greater care in use and disclosure of health information.

The following entities are subject to the HIPAA privacy rules:

  • Health plans
  • Health care clearinghouses
  • Health care providers

What does confidentiality mean?

Confidentiality means discussing patient information with staff person or individual on a “need-to-know” basis. Here are some simple steps you can use to protect the privacy and security of patient health information:
  • Post Notice of Privacy Practices in waiting area.
  • Make sure every patient reads and signs Notice of Privacy Practices statement. Keep medical records in a restricted area and locked file cabinet.
  • Make sure PHI is safely filed away at the end of each workday.
  • Make sure computers are logged off or shut down according to company policy.
  • Use a fax coversheet and confirm fax numbers when faxing patient health information.
  • Put fax machine in secure location away from public viewing. Turn computer screen inward away from public viewing.
  • Conduct staff training on HIPAA policies and procedures.
  • Designate a staff member to handle compliance and/or HIPAA concerns for your office.
  • Establish role-based access to computer systems that store sensitive and confidential information.
  • Establish a policy and procedures for accessing, sharing and securing protected health information.
  • Do not email protected health information over the internet unless encrypted and password protected.
  • Establish a policy and procedure for computer and internet usage.
  • Establish a policy and procedure for release of medical records.
  • Establish a policy to ensure all visitors check at the front desk.
  • Make sure computers are backed-up periodically.
  • Encourage staff to shred documents that are not part of patient record that contains protected health information.
  • Make sure computer anti-virus software is updated on a regular basis as required. Make sure passwords to computers that house PHI are changed every 90 days. Terminate employee access to facility and computers when an employee has left the company.

What is Protected Health Information?

Protected Health Information is all individually identifiable health information (18 identifiers) in any form or media, electronic or non-electronic that is held or transmitted by a group health plan or provider, including oral communication. Individually identifiable health information is information, including demographic data that relates to the past, present, or future physical or mental condition of an individual, the provision of health care to an individual, and that identifies an individual (or could reasonably be used to identify an individual). Some specific identifiers include the following:
  • Names of individuals
  • Dates – including birth date, admission date, and date of death
  • Telephone numbers
  • Fax numbers
  • Social Security numbers
  • Medical record number
  • Health plan enrollee number
  • Account numbers
  • Certificate/license numbers
  • Geographic units – all geographic subdivisions smaller than a state, including street address, city, county precinct, zip code

May a Virginia health plan disclose Protected Health Information to a person who calls the plan on the member’s behalf?

The privacy rules under HIPAA allow a health plan (or other covered entity) to disclose to a family member, relative, or close friend of an individual, the PHI that is directly relevant to that person’s involvement with the individual’s care or payment of care. A covered entity also may disclose PHI to persons who are not family members, relatives, or close friends of the individual, if the covered entity has obtained assurance that the person has been identified by the individual as being involved in his or her care or payment. In these instances the patient (member) must provide authorization for the individual to receive PHI. The Department of Health and Human Services provides these two examples of the circumstances under which a plan may disclose PHI:
  • A health plan may disclose relevant PHI to an enrollee’s daughter who has called to assist her hospitalized, elderly mother in resolving a claim or other payment issue.
  • A health plan may disclose relevant PHI to a human resources representative who has called the plan with the enrollee also on the line, or who could turn the phone over to the enrollee who could then confirm for the plan that the representative calling is assisting the enrollee.

Uses and Disclosures of PHI

Covered entities are not required to obtain member’s approval to use or disclose protected health information for Treatment, Payment and Healthcare Operations (TPO). Treatment – provision, coordination, or management of health care & related services. Payment – reimbursement including billing and claim management. Healthcare Operations – business activities of the organization such as quality assessments & improvement activities, training programs, accreditation, licensing, credentialing, premium rating, legal services, business management and general administrative activities. Authorization is required for any use or disclosure other than TPO. Authorization is required for psychotherapy notes.

Must a health plan periodically notify enrollees about the availability of its Notice of Privacy Practices?

Yes. Under the HIPAA privacy rules, a health plan must remind enrollees at least every 3 years of the availability of its Notice of Privacy Practices, as well as how to obtain a copy.

What is the purpose of the HIPAA Privacy Rule?

The HIPAA Privacy Rule creates national standards to protect individual’s medical records and other personal health information.

Must a health care provider obtain permission from a patient prior to notifying public health authorities of the occurrence of a reportable disease?

No. All states have laws that require providers to report cases of specific diseases to public health officials.

Does the HIPAA Privacy Rule change the way in which an individual can grant another person health care power of attorney?

No. Nothing in the Privacy Rule changes the way in which an individual grants another person power of attorney.

If someone has health care power of attorney for an individual, can they obtain access to that individual’s medical records?

Yes; however, when the provider believes that treating a person as an individual’s personal representative may endanger the individual, the provider may choose not to consider that person as the individual’s personal representative.

Does a power of attorney given to a person for purposes other than health care, authorize that person to access an individual’s health information as that individual’s personal representative?

No. A power of attorney that does not specify decisions related to health care would not authorize the holder to exercise the individual’s rights under the HIPAA Privacy Rule.

Does the HIPAA Privacy Rule allow parents the right to see their children’s medical records?

Yes, the Privacy Rule generally allows a parent to have access to the medical records about his or her child, as his or her minor child’s personal representative when such access is not inconsistent with state law.

Does the HIPAA Privacy Rule provide rights for children to be treated without parental consent?

No. The Privacy Rule does not address consent to treatment. The rule addresses access to and disclosure of health information not parental consent.