October 26, 2012 by astancilwomack
As I mentioned in a previous post most of us have signed an agreement that we read and understood the Health Information Portability and Accountability Act, but like most people you probably did not read or understand the act. Likewise many employees handing you the form to sign have not read it, do not understand what it is, and in fact most don’t even know what HIPAA stands for. This is a huge liability for medical practices, and should be a part of training upon hire. I have highlighted the law below, but you can also read the entire act at http://aspe.hhs.gov/admnsimp/pl104191.htm. Just a warning this post is a bit long, but there were too many important keys that I could not leave out.
Purpose: The law was enacted in 1996 to protect patients’ healthcare privacy due to the technological advances and electronic transfer of information. The act standardized the way healthcare receives and transfers information.
The Act applies to: Health plans, health care clearing houses, and health care providers who use electronic transfers of any kind.
- A covered entity can use and disclose protected health information without the patient’s consent for the following situtations: 1. to the individual (unless required for access or accounting of information); A covered entity can disclose information; 2. Treatment, payment, and health care operations; 3. Opportunity to agree or object; 4. Incident to an otherwise permitted use and disclosure; 5. Public interest and benefit activities; 6. Limited Data Set for the purposes of research, public health or health careoperations.
- A covered entity must get the individual’s written consent to disclose any protected health information, psychotherapy notes, and information for marketing purposes for any other reason than listed above.
- Protected Health Information:”individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral.
- Minimum Necessary means the covered entities should only disclose the minimal information necessary to complete the request.
- Access and Use: this section refers to internal users. The covered entities need to establish policies and procedures regarding who should have access to protected health information, and restrict access to others.
- Disclosures/Request for Disclosures: Again, the covered entities need to have a policy and procedure for disclosures and ensure the minimum necessary is followed.
- Reasonable Reliance: If another covered entity is requesting disclosure of information, this can be relied on by complying with the minimum necessary.
- Privacy Practice Notice: This is the form I was referring to, a covered entity must have individual’s sign a notice informing them the reasons their protected information can be used and disclosed. For providers with direct treatment relationship to the patient: The notice needs to be signed no later than the first visit. The notice needs to be displayed at each service sight. In emergency situations, the provider must show the privacy notice as soon as possible. All other covered entities must supply their privacy notice upon request.
- Access: In most circumstances patients have a right to obtain their protected healthcare information upon request.
- Disclosure Accounting: This requires covered entities to account for their disclosures because the individuals have the right to request all disclosures. The maximum disclosure accounting period is six years from the date on which the disclosure account request was made. There are certain situations in which the disclosure accounting does not apply. See http://aspe.hhs.gov/admnsimp/pl104191.htm.
- Restriction Requests: can be made by the individual in order to restrict disclosure of protected health information for treatment, payment, or health care operations. The covered entities do not have to accept these requests, but if they do accept the request, then they must honor it.
- Confidential Communications Requirement: A covered entity must allow the individual to request alternate means or location to send, or discuss protected health information. The individual can also request a closed envelope from the covered entity, rather than a postcard.
- Circumstances where access does not allow include: psychotherapy notes, information compiled for legal actions, lab results in which Clinical Laboratory Improvement Act (CLIA) prohibit, and lastly if the information may put the individual or anyone else in harm.
Administrative Responsibilities: In order to comply with the HIPAA covered entities must do the following:
- Implement privacy policies and procedures
- Designate privacy personnel to implement and maintain the policies and procedures.
- They must train and continually manage their workforce on compliance.
- The covered entity must mitigate any harmful effects caused by disclosure of information.
- The covered entity must have safeguards in place for intentional or unintentional misuse of protected information.
- A covered entity may not require or ask a person to waive any right they have under HIPAA.
- A covered entity must keep records six years from the date of creation, or the last effective date.
There are other components of this act, but I hope that I was able to cover the basics for you, and aid in a better understanding. Did you learn something you didn’t know? Feel free to comment.