HIPAA

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) is a law that was passed in 1996 to protect patients‘ privacy on a national scale. As a way of improving the effectiveness and efficiency of the healthcare system, the HIPAA incorporated Administrative Simplification provisions through which the HHS was expected to adopt national standards for security, unique health identifiers, and electronic health care transactions. During this time, Congress was keen enough to note that advances in electronic technology increased the possibility of health information falling into the wrong hands. As a result, incorporated provisions that necessitated the inclusion of the Federal privacy protections for health information, which could be individually identified, were incorporated into the HIPAA.

In December of 2000, the HHS created a Privacy rule which aimed to protect an individual’s medical records as well as their personal health information by three types of covered entities; health care clearinghouses, health plans, and health care providers. The rule applies to all forms of health information, including written, electronic, and oral. It creates conditions that limit the use, accessibility, and disclosure of this information without authorization from the patient. Furthermore, with this rule, patients obtain rights over their health information in that they can get and examine any health records and even request corrections where need be. Individuals receive a notification every time their health information is shared or issued. Moreover, they have a right to receive a report of when and why their health information was shared.

In February 2003, the Security Rule was published. With this rule, the HHS was able to set national standards aimed at protecting the availability, integrity, and confidentiality of electronically protected health information. Individuals were expected to comply with this rule as from 20th April 2005. Enforcement rule is another rule that has been enacted by the HHS. It details the standards of the enaction of Administrative Simplification rules. Finally, the HHS formulated an Omnibus Rule, which implements different provisions of the HITECH Act in a bid to increase the security and privacy protection of the health information that was identified in the HIPAA.

Whereas covered entities such health plans, health care clearinghouses, and healthcare providers are expected to follow their regulations, life insurers, municipal offices, state agencies, employers, and most law enforcement agencies are not. If a covered entity chooses to seek the assistance of a business associate in handling its tasks, it should draft a written business contract that governs the relationship. Besides these contractual requirements, business associates are expected to comply with different provisions of the HIPAA. Some of the examples of the health information that should be protected include; a patient’s billing information at the clinic, conversation the doctor has regarding a patient’s treatment and care with other healthcare providers, and any information placed in the medical record by doctors or nurses. In most institutions, the management sets up specific procedures that should be followed by anyone who intends to access healthcare records. At times, they may even conduct training institutions for their employees where they are informed on ways through which they can protect such information.

In the case whereby a patient feels like their rights (or someone else’s) were denied or violated, they can file a complaint with the Office for Civil Rights. The OCR is responsible for administering the Security and Privacy Rules. It will go ahead and investigate the covered entity in question. For a complaint to be considered valid, it needs to be filed in writing, contains the name of the covered entity, narrates the specific acts of violations, and should be filed within 180 days of when the actions of breaches were discovered. The HIPAA bans entities from retaliating against an individual for filing a complaint. In the event that this happens, the OCR should be informed immediately. Since it is a law enforcement agency, the OCR is not allowed to provide any information regarding current or potential investigations to the general public.

Following a breach of unsecured protected health information, covered entities are expected to issue a notification as per the HIPAA Breach Notification Rule. Covered entities are expected to have a particular set of written policies in regards to breach notification. Any employee who fails to abide by these policies should receive appropriate sanctions. The notice should be issued to the secretary, individual, and at times the media. Moreover, the business associates are expected to send a notification to the covered entities whenever a breach occurs by or at the business associate. A breach is considered to be an impermissible disclosure or use of health information. However, if the business entity or covered associate proves that there exists a low chance that the health information could have been compromised, then the situation will not be considered a breach. Another exception is if the business associate or covered entity is sure beyond a doubt that the unauthorized person with whom the information was shared is unable to retain it.