HIPAA is known as the Health Insurance Portability and Accountability Act. When you as an employee give your personal information to doctors that share the information with pharmacies, insurance companies, researchers, and sometimes employers, this federal law thoroughly protects your privacy. HIPAA defines your rights concerning your health information and also sets rules as to who is allowed and not allowed to have access to your personal health information. Although HIPAA protects individuals, it also allows information to be revealed for medical treatment purposes.
Health plans, health plan clearinghouses, and any healthcare provider that transmits healthcare information electronically are covered in the HIPAA privacy rule.
Health care plans include medical, dental, vision, prescription drug insurers, health maintenance organizations, Medicare, Medicaid, Medicare + Choice, government and church sponsored programs, and multi-employer health plans.
Covered health care providers include all health care providers that provide personal information electronically despite of size.
HIPAA protects all individually identifiable health information held or transmitted by a covered entity or its business associate in any form or media no matter if it is in paper, electronic or oral form.
Individually identifiable information includes the individual’s past, present or future physical or mental health or condition, the provision of health care to the individual, or the past, present, or future payment of the provision of health care to the individual that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. For example, this would include the name, birth date, address and or social security number.
A covered entity is prohibited from disclosing protected health information except if the privacy rules permits or requires the entity to do so or if the individual subject to the information or individual’s personal representative authorizes the disclosure in writing.
A required disclosure is only allowed in two situations: to individuals or their personal representatives when they request to gain access to their protected health information and to HHS when it is under an investigation or review or enforcement action.
The HIPAA privacy rule contains a very important minimum necessary use and disclosure principle. A covered entity must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose of the use, disclosure, or request. When the minimum necessary standard applies to a use or disclosure, the entity may not request the entire record unless the entity can prove that the entire record is the minimum necessary reasonably needed for the purpose. The HIPAA privacy rule allows for only the minimum necessary information to be revealed.
The minimum necessary requirement does not apply when there is a disclosure to or a request by a health care provider for treatment, disclosure to an individual who is the subject of the information, or the individual’s personal representative, use or disclosure made pursuant to an authorization, disclosure to HHS for complaint investigation, compliance review or enforcement, the use or disclosure that is required by law, or the use or disclosure required for compliance with the HIPAA Transaction Rule or other Administrative Simplification Rules.
Notice of privacy practices are required by each HIPAA covered entity. The notice must describe how the covered entity may use and disclose the protected health information, state the covered entity’s duties to protect privacy, provide a notice of privacy practices, and abide by the terms of the current notice. The notice must explain the individual’s rights, which include the right to complain to HHS and to the covered entity if the individual that believes that their privacy rights have been violated. Additionally, the notice must include a point of contact for further information and for making complaints to the covered entities that must act in accordance with their notices.
Entities that are covered by HIPAA and refuse to comply with the Privacy Rule may be subjected to civil penalties. These penalties will vary according to the date of the violation, whether the covered entity knew or should have known of the failure to comply with the privacy rules, or whether the covered entity’s failure to comply was due to willful neglect. Penalties cannot exceed a calendar year cap for multiple violations of the same requirement. Criminal penalties may also be given for persons who knowingly obtain or disclose individually identifiable health information in violation of the Privacy Rule.
