When the Health Care Portability and Accountability Act of 1996 was enacted, physicians scrambled to understand what this meant for their individual practices. There was no clear understanding of what the act encompassed and where to begin in order to start evaluating the practices exposure. In a series of articles we will address the “Down and Dirty” facts covered under HIPAA.
Before we get “Down and Dirty,” let’s cover some basic terms we will be referencing in this and future articles:
- Protected health information (PHI). HIPAA regulations apply to “protected health information,” that is medical information that contains any number of identifiers such as, name, social security number, telephone number, medical record number or zip code. The regulation protects all individual identifiable health information in any form, whether it be electronic, oral, or paper and is stored or transmitted by a covered entity.
- Covered entities. They are defined as (i) health plans (ii) health care clearing houses (iii) health care providers who electronically transmit any health information in conjunction with transactions for which HHS has adopted standards.
- Business associates. Is defined as a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity. To clarify, a member of the covered entity’s workforce is not a business associate. A covered health care provider, health plan, or health care clearinghouse can be a business associate of another covered entity. The Privacy Rule lists some of the functions or activities, as well as the particular services that make a person or entity a business associate, if the activity or services involves the use of disclosure of protect health information. A few examples of Business associate functions and activities include; claims processing or administration, billing, and practice management.
- HIPAA regulations protect an individual’s right to the privacy of his or her medical information. This is to say that, to keep the information form falling in to the hands of people who may use it for their own person gain or advantage. HIPAA privacy regulations require providers to obtain a signed consent form in order to use and disclose PHI for activities related to treatment, payment and health care operations and obtain a separate authorization to use or disclose PHI for any other purposes.
- Covered entity’s must take specific efforts to protect the integrity of the health information it holds and prevent unauthorized breaches of privacy as might occur if the data were to be lost or destroyed by accident, stolen by intent or sent to the wrong person in error. Security measures can by physical, administrative, or technological.
In the next article we will lay out the potential fines for violations and provide real world examples.