Health Insurance Portability and Accountability Act (HIPAA)
- What is HIPAA?
- Who is Covered?
- What information is safeguarded by HIPAA’s Privacy regulations?
- What do HIPAA’s Privacy Standards require?
- Must an individual always authorize the release of his or her PHI before it may be disclosed?
- What is required for a valid authorization?
- What does the term “Minimum Necessary” mean in regard to HIPAA?
- Helpful Third Party Links
What is HIPAA?
HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. HIPAA was enacted by Congress, in part, as a response to concerns regarding the treatment of confidential health information. The Department of Health and Human Services developed privacy regulations under HIPAA that became effective on April 14, 2003. These regulations provide individuals with access to their medical record and more control over how their health information is used and disclosed.
Who is Covered?
HIPAA applies to three fundamental categories of organizations referred to as Covered Entities. These Covered Entities are Health Plans (individuals or groups that provide or pay for health care); Health Care Clearinghouses (companies that facilitate the processing of health information such as billing services); and Health Care Providers (private practitioners such as physicians, dentists, pharmacists and other health care facilities such as hospitals). In order for one of these entities to be required to comply with HIPAA, it must conduct certain transactions in electronic form, such as the submission of patient bills or the transmission of patient information. A college or university’s health care center may or may not be subject to HIPAA depending upon whether some of its transactions are conducted electronically. Universities with health care centers conducting such transactions may consider themselves as a Hybrid Entity (i.e., entities whose business activities include both covered and non-covered functions). Hybrid Entities may designate which components are subject to HIPAA. Even if an entity is not protected by HIPAA, the information may be subject to state laws on privacy. The University of Mississippi has designated itself a Hybrid Entity, with the Student Health Center as subject to HIPAA.
What information is safeguarded by HIPAA’s Privacy regulations?
The privacy regulation sets standards for the collecting, sharing and storing of Protected Health information (PHI). Protected Health Information is information (1) that is individually identifiable; (2) that relates to an individual’s past, present, or future medical condition or treatment, regardless of form (oral, written, electronic); and (3) that is created or received by a Covered Entity.
What do HIPAA’s Privacy Standards require?
Generally, the new privacy regulations set standards for determining who is permitted to use, disclose, or access PHI. Individuals are entitled to a Notice of Privacy Practices describing their rights under the new privacy regulations. The University of Mississippi Health Center’s Notice of Privacy Practices may be found at https://www.olemiss.edu/depts/stu_health/RxNOPP.html.
Individuals have the right to review and make copies of various communications contained in their PHI. Certain information contained in an individual’s PHI may be excluded from release to the individual. Special rules apply to psychotherapy notes. Access may also be denied if a Covered Entity determines that releasing the PHI to the individual would cause harm to him or her or someone else. Also, an individual may be denied access to information compiled in reasonable anticipation of, or for use in, civil, criminal, or an administrative proceeding.
Individuals may request amendments to their PHI. Of course, an amendment may be denied by the Covered Entity if it determines that the original record is accurate and complete. If denied, the individual may submit a statement of disagreement for the record. Individuals may request that they be contacted in a certain manner (e.g., via e-mail, telephone, or at a different address). They also may request restrictions for the use and disclosure of their PHI. Such requests may be approved or denied. Individuals have a right to an accounting of disclosures of PHI by the Covered Entity for the last six years with certain exceptions. One exception is for releases of PHI to carry out treatment, payment and health care operations. Additionally, individuals may file a complaint with the Covered Entity or the Office for Civil Rights of the U.S. Department of Health and Human Services.
Must an individual always authorize the release of his or her PHI before it may be disclosed?
No. Under HIPAA, authorization is not required to disclose PHI in all situations.
The biggest exception allows disclosure of PHI, without authorization, for purposes related to treatment, payment, and health care operations. Other exceptions allowing the release of PHI, without authorization, by a Covered Entity include the following:
- Uses and disclosures required by law;
- Uses and disclosures for public health activities (such as to report infectious diseases, or vital effects (e.g., births and deaths));
- Disclosures about victims of abuse, neglect or domestic violence to a government authority;
- Uses and disclosures to a health oversight agency for health oversight activities (including audits, investigations, inspections, licensure actions, and disciplinary proceedings);
- Disclosures for judicial and administrative proceedings (1) in response to an order of a court or administrative tribunal or (2) in response to a subpoena, discovery request or other lawful process if “satisfactory assurance” is received that the subject of the PHI has been given notice of the request or that reasonable efforts have been made to secure a qualified protective order;
- Disclosures for law enforcement purposes;
- Uses and disclosures about decedents to coroners, medical examiners, and funeral directors;
- Uses and disclosures for organ, eye or tissue donation purposes;
- Disclosures for research purposes provided that the Covered Entity obtains a waiver of authorization from either an Institutional Review Board or a properly constituted Privacy Board and other conditions are met;
- Uses and disclosures to avert a serious threat to health or safety;
- Uses and disclosures for specialized government functions such as military and veterans activities, national security and intelligence activities, medical suitability determinations;
- and Disclosures for Workers’ Compensation.
Some of these exceptions have detailed conditions that must be met and the HIPAA regulations should be carefully reviewed and the circumstances analyzed to determine if an exception is applicable to a particular situation. Disclosures not otherwise specifically permitted or required under HIPAA must have an authorization. Several requirements must be met for a valid authorization.
What is required for a valid authorization?
HIPAA regulations require that a valid authorization contain a meaningful description of the information to be disclosed; the name of the person or entity that is authorized to disclose the PHI; the name of the person or entity authorized to receive the PHI; the date, event, or condition upon which consent will expire; the date and signature of the individual authorizing the release; and a statement that the individual has a right to revoke the authorization in writing except to the extent that the entity has already acted upon it. Please note that a Covered Entity may not condition treatment on the receipt of an executed authorization.
What does the term “Minimum Necessary” mean in regard to HIPAA?
With certain exceptions, HIPAA requires that uses and disclosures of PHI be the minimum necessary for the intended purpose of the use or disclosure. Thus, the entity must take reasonable steps to limit the use or disclosure of PHI to the minimum necessary to accomplish the intended purpose. The rationale behind this requirement is that PHI should not be used or disclosed when it is not necessary to satisfy a particular purpose or to perform a certain function. Exceptions include disclosures for treatment; disclosures to the patient; uses or disclosures in accordance with an individual’s authorization; disclosures to the Department of Health and Human Services for enforcement purposes; uses or disclosures for compliance with certain HIPAA rules; and uses or disclosures that are required by law.