In this blog, we will review ten questions about the Health Insurance Portability and Accountability Act, or HIPAA. The legislation can seem overwhelming; sometimes breaking it down can make it much easier to digest.
Of course to ensure that your organization is prepared to overcome any compliance roadblock, please consult BHM regarding our HIPAA Compliance analysis: click here for more information
HIPAA ensures a 'lock' on privacy.
1. What is HIPAA?
The Health Insurance Portability and Accountability Act, or HIPAA, was passed by the federal government in 1996. The original intention of HIPAA
was to help guarantee the continuation of health insurance coverage when an individual left his or her job. Additionally, HIPAA was expanded to include a number of provisions in order to simplify and lower the costs of processing health information. A number of these provisions deal with the standardization of electronic transactions, particularly regarding security and privacy issues.
2. What is the HIPAA Security Rule?
HIPAA requires the implementation of security standards to help protect health information. Yet, it does not spell out any specific security requirements. HIPAA simply necessitates administrative, technical and physical safeguards to make sure that the integrity of health information remains confidential. These requirements have been defined and published in the HIPAA Security Rule by the Department of Health and Human Services.
4. What type of information is protected by HIPAA?
Health information is defined as any information, whether spoken or recorded in any form, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or healthcare clearinghouse. This information can be related to the past, present or future physical or mental health condition of an individual, the delivery of health care to an individual, or the past, present or future payment for the provision of healthcare to an individual.
5. Who must comply with the HIPAA Security Rule?
Any Health Plan, Health Care Clearinghouse or a Health Care Provider who transmits health information in electronic form must comply with the HIPAA Security Rule. A Health Plan is defined as an individual or group plan that provides or pays the cost of medical care. A Health Care Clearinghouse is defined as a public or private entity, including a billing service, re-pricing company, community health management information system or community health information system that does either of the following functions: (1) Processes health information received from another entity in a nonstandard format; or (2) Receives a standard transaction from another entity and processes health information into nonstandard format for the receiving entity. A Health Care Provider is defined as a provider of services, a provider of medical or health services and any other person or organization who delivers, bills or is paid for health care in the normal course of business.
6. What are the repercussions of non-compliance with HIPAA?
Failure to comply with HIPAA requirements could result in significant financial loss through civil penalties, not to mention damage to an organization’s reputation. HIPAA states that civil penalties up to $100 per day per person can be issued for non-compliance. While this does not seem like a large sum, it can quickly add up. For instance, if student health information was exposed for 1000 students over the course of 30 days, the fines could reach $3,000,000.
7. May a physician or hospital “fax” a patient’s medical information to other physicians or to an insurer?
Yes. The Privacy Rules do not prohibit a “covered entity” from faxing protected health information. A physician should be sure, however, to comply with the Privacy Rules’ requirements for disclosures generally. For example, the physician should check whether the “minimum necessary” rule applies and, if it does, limit the information in the fax to the minimum necessary information.
Also, a physician should be sure to have appropriate security safeguards in place that are administrative, technical, and physical in nature. For example, the physician should use policies and procedures that require office staff to verify the recipient’s fax number and use a cover sheet that does not include protected health information.
8. What is the “minimum necessary” standard?
HIPAA requires a physician to make reasonable efforts to limit the amount of protected health information that the physician uses or discloses to the minimum amount that is necessary to accomplish the purpose of the use or disclosure.
Importantly, this requirement does not apply when a physician discloses information to another provider for treatment purposes or when a physician requests information from another provider for treatment purposes. Accordingly, the minimum necessary standard should not interfere with a physician’s ability to provide appropriate treatment to patients.
9. May a physician discuss information about a patient’s treatment with other physicians using e-mail or fax?
Yes. Physicians may use any method of communication — including e-mail, oral conversations, written letters, or other methods (including sending facsimiles) — so long as the physician uses “reasonable and appropriate safeguards” to protect the communication. HIPAA does not prohibit a covered entity from emailing or faxing protected health information to a physician.
If a covered entity refers to the Privacy Rules as the reason the individual will not fax information to a physician, the physician may direct the covered entity to the Department of Health and Human Services’ Frequently Asked Questions at: http://www.hhs.gov/ocr/privacy/hipaa/faq/index.html. The physician may also assure the individual that appropriate safeguards are in place to receive the fax securely.
10. If a patient’s family members call to ask how their loved one is doing, what can the treating physician disclose?
HIPAA allows a physician to share a patient’s information with the patient’s family member or friend if the information is limited to what is directly relevant to that person’s involvement in the patient’s care. For example, a physician may tell a person living with the patient that the patient needs plenty of rest and lots of fluids or that the patient needs to take a prescribed medication twice daily with food. The physician should not share more information than the person needs to assist with the patient’s care.
A physician should not share a patient’s information with the patient’s family or friends if the patient has asked the physician not to, or if the physician believes, in his/her professional judgment, a disclosure would be inappropriate.