Overview of the Health Insurance Portability and Accountability Act (HIPAA)

Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996. The purpose of this law is to protect private individual health information from being disclosed to anyone without the consent of the individual. Except under unusual circumstances, the consent needs to be in writing. However, there are some exceptions to the consent provision. The consent provision does not apply in the following situations: - Treatment - Billing - Quality assurance - Peer review - Business planning activities - Staff training - Required reporting to public health agencies - Certain emergency situations - Research studies that have obtained a wavier from the Institutional Review Board (IRB) Research Private health information can be used in research studies if it is "de-individualized" so that the identity of the individual cannot be ascertained from the information disclosed. For example, if you were conducting a study of the lung problems suffered by New Yorkers after the 911 terrorist attacks, it would be permissible to identify a patient as, a 50 year old, 5'11', 175 lb., while male from New York City with high blood pressure. Marketing Health care providers are prohibited from selling or using their patient or enrollees lists to market products from a third party. However, they can use their list to communicate with or sell their own services to their list members. Great care must be taken to restrict access when using online collaboration, such as an intranet. Business Associates All business associates, vendors or other contractors that use the health care provider's facility must sign a contract stating that they understand and agree to be bound by HIPAA regulations. The health care provider can be held responsible for the actions of the business associate if they did not sign a contract or there was a history of abuse and the health care provider did noting about it. Individual Rights Under HIPAA, individuals have the right to: - Notice of the health provider's privacy practices - Request restrictions on who is allowed to access their health information - Access, inspect or copy their personal health information - Request an accounting of all disclosures of their health information - Request corrections or amendments to their health information Health Care Providers Responsibilities Health care providers are required to: - Provide security for both paper and electronic individual health information - Institute a complaint process to investigate complaints - Train staff on the law The HIPAA regulations allow for both civil monetary and criminal penalties for violations of the act.