Overview of the Health Insurance Portability and Accountability
Act (HIPAA)
Congress enacted the Health Insurance Portability and
Accountability Act (HIPAA) in 1996. The purpose of this law is
to protect private individual health information from being
disclosed to anyone without the consent of the individual.
Except under unusual circumstances, the consent needs to be in
writing.
However, there are some exceptions to the consent provision. The
consent provision does not apply in the following situations:
- Treatment - Billing - Quality assurance - Peer review -
Business planning activities - Staff training - Required
reporting to public health agencies - Certain emergency
situations - Research studies that have obtained a wavier from
the Institutional Review Board (IRB)
Research
Private health information can be used in research studies if it
is "de-individualized" so that the identity of the individual
cannot be ascertained from the information disclosed. For
example, if you were conducting a study of the lung problems
suffered by New Yorkers after the 911 terrorist attacks, it
would be permissible to identify a patient as, a 50 year old,
5'11', 175 lb., while male from New York City with high blood
pressure.
Marketing
Health care providers are prohibited from selling or using their
patient or enrollees lists to market products from a third
party. However, they can use their list to communicate with or
sell their own services to their list members. Great care must
be taken to restrict access when using online collaboration,
such as an intranet.
Business Associates
All business associates, vendors or other contractors that use
the health care provider's facility must sign a contract stating
that they understand and agree to be bound by HIPAA regulations.
The health care provider can be held responsible for the actions
of the business associate if they did not sign a contract or
there was a history of abuse and the health care provider did
noting about it.
Individual Rights
Under HIPAA, individuals have the right to:
- Notice of the health provider's privacy practices - Request
restrictions on who is allowed to access their health
information - Access, inspect or copy their personal health
information - Request an accounting of all disclosures of their
health information - Request corrections or amendments to their
health information
Health Care Providers Responsibilities
Health care providers are required to:
- Provide security for both paper and electronic individual
health information - Institute a complaint process to
investigate complaints - Train staff on the law
The HIPAA regulations allow for both civil monetary and criminal
penalties for violations of the act.