HIPAA Privacy, The rule the Myths and the Facts

Introduction to the HIPAA Privacy Rule

In response to a congressional mandate in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the U.S. Department of Health and Human Services (HHS) issued the regulations Standards for Privacy of Individually Identifiable Health Information . For most covered entities, compliance with these regulations, known as the Privacy Rule, was required as of April 14, 2003.

The Privacy Rule is a response to public concern over potential abuses of the privacy of health information. The Privacy Rule establishes a category of health information, referred to as "protected health information" (PHI), which may be used or disclosed to others only in certain circumstances or under certain conditions. PHI is a subset of what is termed "individually identifiable health information." With certain exceptions, the Privacy Rule applies to individually identifiable health information created or maintained by a covered entity. Covered entities include health plans, health care clearinghouses, and health care providers that transmit health information electronically in connection with certain defined HIPAA transactions, such as claims or eligibility inquiries.

In addition to the Privacy Rule, other regulations may apply as well. For instance, individual records held by covered entities that are also alcohol and substance abuse treatment providers are protected by the Federal Confidentiality of Alcohol and Substance Abuse Patient Records Regulation (see 42 CFR part 2). Also, the HHS and the U.S. Food and Drug Administration (FDA) Protection of Human Subjects Regulations (45 CFR part 46 and 21 CFR parts 50 and 56, respectively) may apply to health services research. In addition, if health-related research involves electronic PHI, covered entities must also consider the requirements of the HIPAA Security Rule (45 CFR part 160 and Part 164, subparts A and C). Compliance with the Security Rule is required no later than April 20, 2005 , for all HIPAA-covered entities, except for small health plans, which have an extra year to comply.

The HIPAA Privacy Rule, Myths and Facts

Since April 14, 2003, health care providers, health plans, and health care clearinghouses have been required to be in compliance with the HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule. Both the 1996 Congress and the two recent administrations agree that a privacy law is needed to ensure that sensitive personal health information can be shared for core health activities, with safeguards in place to limit the inappropriate use and sharing of patient data. The HIPAA Privacy Rule takes critical steps in that direction to require that privacy and security be built in to the policies and practices of health care providers, plans, and others involved in health care. Despite the law's clear purpose and scope, a lack of widespread and consistent public education, training, and technical assistance has given rise to a number of persistent and destructive myths. The following are some common myths regarding the Privacy Rule and the facts about what the law actually says.

HIPAA Privacy Rule Myth #1

One doctor's office cannot send medical records of a patient to another doctor's office without that patient's consent

No consent is necessary for one doctor's office to transfer a patient's medical records to another doctor's office for treatment purposes. The Privacy Regulation specifically states that a covered entity is permitted to use or disclose protected health information for treatment, payment, or health care operations, without patient consent. As HHS explains, treatment includes consultation between health care providers regarding a patient and referral of a patient by one provider to another. HHS states that providing health records to another health care provider for treatment purposes can be done by fax or other means.

HIPAA Privacy Rule Myth #2

Health care providers can share personal health information with employers

The Privacy Rule absolutely prohibits health care providers and plans from disclosing personal health information to employers without a patient's explicit, written authorization. A valid authorization under the law must include a description of the information to be shared, the name of the person allowed to use or disclose the information, an expiration date, and the signature of the individual. The Privacy Rule also covers self-insured employers when they are acting in their capacity as a health plan. These employers must construct an organizational firewall, so that the health care information they gather can only be used for health care related functions, and plan administrators are prohibited from sharing that information with other employees. However, some employers do collect health information independently, such as through workforce surveys. In this scenario, employers are not acting as health plans, and therefore are not covered by the law.

HIPAA Privacy Rule Myth #3

A hospital is prohibited from sharing information with the patient's family without the patient's express consent

Under the Privacy Rule, a health care provider may disclose to a family member, other relative, or a close personal friend of the individual, or any other person identified by the individual, the medical information directly relevant to such person's involvement with the patient's care or payment related to the patient's care. Uses and disclosures for involvement in the individual's care and notification purposes are clearly permitted. The Rule states that if the patient is present, the health care provider may disclose medical information to such people if the patient does not object. If the patient is unable to agree or object to disclosure because of incapacity or an emergency circumstance, the covered entity may determine whether the disclosure is in the best interests of the patient. The professional judgment of the health care provider should inform any decision regarding disclosure of protected health information to a family member or friend who is involved in the patient's care, as these disclosures are permitted, but not mandatory. If a hospital or other health care provider refuses to provide any relevant medical information to family members, it is again, the hospital policy, and not required by the Regulation.

HIPAA Privacy Rule Myth #4

The HIPAA Privacy Regulation prohibits or discourages doctor/patient emails

he Privacy Rule allows providers to use alternative means of communication, such as email, with appropriate safeguards. Doctors and other healthcare providers may continue to communicate with patients via email. Both the HIPAA Privacy and Security Regulations require providers to use reasonable and appropriate safeguards to ensure the confidentiality, integrity, and availability of any health information transmitted electronically, and to protect against any reasonably anticipated threats to the security of such information. Therefore, a covered entity is free to continue using email to communicate with patients, but should be sure that adequate safeguards, such as encryption, are used.

HIPAA Privacy Rule Myth #5

The Privacy Regulation mandates new disclosures of patient information

As HHS states, disclosure is mandated in only two situations: to the individual patient upon request, or to the Secretary of the Department of Health and Human Services for use in oversight investigations. Disclosure is permitted, not mandated, for other uses under certain limits and standards, such as to carry out treatment, payment, or health care operations, or under other applicable laws. Disclosure of protected health information has always been permitted for purposes such as national security, public health monitoring, and law enforcement, as well as many others. The Privacy Rule requires that patients be informed, through the notice of privacy practices, of these uses and disclosures. Nearly all of these uses and disclosures are permissive, so health care plans and providers may choose not to use or disclose medical information.

HIPAA Privacy Rule Myth #6

A patient's family member can no longer pick up prescriptions for the patient

Under the Regulation, a family member or other individual may act on the patient's behalf %uFFFDto pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information. The Regulation permits the health care provider to reasonably infer that doing so is in the patient's best interest and in accordance with professional judgment and common practice. HHS specifically explains that the Rule %uFFFDallows a pharmacist to dispense filled prescriptions to a person acting on behalf of the patient. Similarly, HHS issued guidance and a press release on July 6, 2001 that explicitly stated that %uFFFDthe rule allows a friend or relative to pick up a patient's prescription at the pharmacy. Therefore if pharmacies prohibit this common practice, it is their own policy, not one mandated by the HIPAA Privacy Regulation.

HIPAA Privacy Rule Myth #7

The HIPAA Privacy Regulation imposes so many administrative requirements on covered entities that the costs of implementation are prohibitive

he White House issued a report in March 2002 estimating the costs of implementing privacy over ten years at approximately $18 billion and estimating the savings incurred from putting the transaction standards in place over ten years at approximately $29.9 billion, thus saving the health care industry approximately $12 billion overall. Further, there will be additional savings in the long term because patients will have more faith in the health care system, so they will be less likely to withhold vital information from their doctors, and will more readily seek care.

HIPAA Privacy Rule Myth #8

A patient cannot be listed in a hospital's directory without the patient's consent and the hospital is prohibited from sharing a patient's directory information with the public

The Privacy Rule permits hospitals to continue the practice of providing directory information to the public unless the patient has specifically chosen to opt out. The Regulation states that a health care provider, such as a hospital, may maintain a directory that includes the patient's name, location in the facility, and condition in general terms, and disclose such information to people who ask for the patient by name. The patient must be informed in advance of the use and disclosure and have the opportunity to opt out of having his or her information included in the directory. Emergency situations are specifically provided for in the Regulation, so if the patient is comatose, or otherwise unable to opt out due to an emergency, the hospital is permitted to disclose directory information if the disclosure is consistent with the patient's past known expressed preference and the provider determines disclosure is in the individual's best interest. The provider must provide the patient with an opportunity to object, %uFFFDwhen it becomes practicable to do so. Any more restricted uses of directory information, such as requiring patients to ask to be listed in, or opt into, the directory, are either the hospital's own policy or confusion about the Privacy Regulation.

HIPAA Privacy Rule Myth #9

Patients' medical records can no longer be used for marketing

Use or disclosure of medical information is explicitly permitted for certain health related marketing under the HIPAA Privacy Rule. For example, communication about a plan's health related products or alternative treatments and services is not considered marketing for the purposes of the Rule even if the health care provider is paid to encourage the patient to use the product or service. The 2000 version of the Privacy Rule required that patients be notified if the health care provider was paid to communicate about a health related product, be given the opportunity to opt out of future communications, and be informed of the identity of the source of the communication.

HIPAA Privacy Rule Myth #10

Patients can sue health care providers for not complying with the HIPAA Privacy Regulation

The HIPAA Privacy Regulation does not give people the right to sue. Even if a person is the victim of an egregious violation of the HIPAA Privacy Rule, the law does not give people the right to sue. Instead, individuals must file a written complaint with the Secretary of Health and Human Services via the Office for Civil Rights. It is then within the Secretary's discretion to investigate the complaint. HHS may impose civil penalties ranging from $100 to $25,000, and criminal sanctions ranging from $50,000 to $250,000, with corresponding prison terms, may be enforced by the Department of Justice. However, since the law went into effect, HHS has focused on a complaint-driven process that relies on voluntary compliance with the law. So far, not one civil monetary penalty has been issued.

HIPAA Privacy Rule Myth #11

he HIPAA Privacy Rule imposes many new restrictions on hospitals' fundraising efforts so that fundraising becomes almost impossible

According to the Rule, a hospital may use, or disclose to its %uFFFDbusiness associate%uFFFD or an institutionally related foundation, demographic information and the dates of health care provided to an individual %uFFFDfor the purpose of raising funds for its own benefit, without an authorization [from the patient].%uFFFD Such use or disclosure is not permitted unless disclosed in the notice of privacy practices. Any fundraising materials that the covered entity sends to an individual must include a description of how the individual may opt out of future fundraising communications. Therefore, the Rule does not hinder fundraising in the first instance, and if a covered entity wants to target specific patients it must include this information in its notice of privacy practices. Hospitals must also make reasonable efforts to ensure that those who decide to opt out of receiving future fundraising communications do not continue to receive such communications.

HIPAA Privacy Rule Myth #12

If a patient refuses to sign an acknowledgment stating that she received the health care provider's notice of privacy practices, the health care provider can, or must, refuse to provide services

The HIPAA Privacy Rule grants the patient a %uFFFDright to notice' of privacy practices for protected health information, and requires that providers make a %uFFFDgood faith effort%uFFFD to get patients to acknowledge they have received the notice. The law does not grant health care providers the right to refuse to treat people who do not sign the acknowledgement, nor does it subject the provider to liability if a good faith effort was made. A health care provider or health plan %uFFFDmust provide a notice that is written in plain language%uFFFD that informs the patient of %uFFFDthe uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights and the covered entity's legal duties with respect to protected health information.%uFFFD The HIPAA Privacy Rule requires a covered health care provider with direct treatment relationships with individuals to give the notice to every individual no later than the date of first service delivery to the individual, to provide a copy of the notice to the patient upon request, to post a copy of the notice in a prominent location, and to %uFFFDmake a good faith effort to obtain a written acknowledgment of receipt of the notice%uFFFD except in emergency situations. The acknowledgment of the receipt of notice of the privacy practices is not a consent for treatment. It is not an authorization for the release of medical records. A patient's signature acknowledging receipt of the notice, or her refusal, does not create or eliminate any rights, so it should not be the basis for providing or refusing treatment.

Websites Sugestions