The Health Insurance Portability and Accountability Act of 1996 (HIPAA) touched on many ways that health care providers and health insurance companies do business. Two of the major areas where HIPAA changed the way medical organizations do business were in the areas of privacy and security. The rules themselves are long and complicated, but the following is a brief introduction to the privacy and security rules under HIPAA.
Privacy. HIPAA required the Secretary of the Department of Health and Human Services (HHS) to establish rules for protecting the privacy of health information if Congress did not makes those rules within three years of passing HIPAA. Those three years passed, and there was no action from Congress. In 1999, HHS published its first draft of the rules, which were eventually adopted in 2000. The rules were revised in 2002. The Privacy Rule can be broken down into: who is covered by the rule, what is protected, and what must be done.
The rule sets out a category of people and business called “covered entities” who must comply with the privacy rule. Covered entities include health plans, health care clearinghouses, and any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA. Health plans are entities like insurance companies, HMOs, Medicare and Medicaid, and most employer-sponsored health benefit plans. Health care clearinghouses are businesses that take non-standard health information and convert it to standardized information for use by other organizations. And health care providers are doctors, hospitals, and other practitioners who send electronic information about their patients, such as when they file insurance claims for patients or when they input data into a hospital database.
The privacy rule also sets out what information is protected: “Protected Health Information” is any individually identifiable health information that is held or transmitted by a covered entity in any form: paper, electronic, or oral. If the information is about the health care, health condition, or payment for health care, and if the information can be linked to an individual person, then it is Protected Health Information and must be guarded.
The rule also tells covered entities what they can and cannot do. First, the entity can share any PHI if the individual gives written consent. But without written consent, the covered entity can only disclose PHI for six purposes: (1) to the individual; (2) for the treatment, payment, and health care operations of the covered entity; (3) after giving the individual an opportunity to agree or object; (4) incident to an otherwise permitted use and disclosure; (5) when the public interest is requires certain information to be passed, and (6) by making a limited data set from which certain direct identifiers of individuals have been removed.
Security. The HIPAA law also required HHS to create a security rule, which it did in 1998. It took five years for the draft rule to be finalized in 2003.
The Security Rule applies to the same covered entities as the privacy rule (health plans, healthcare clearinghouses, and healthcare providers.) But the information that is subject to the Security Rule is only some of the PHI that is subject to the Privacy Rule: only the individually identifiable health information that a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule does not apply to PHI transmitted orally or in writing.
Any Covered Entity that creates electronic PHI is required to: (1) ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit; (2) identify and protect against reasonably anticipated threats to the security or integrity of the information; (3) protect against reasonably anticipated, impermissible uses or disclosures; and (4) ensure compliance by their workforce.
The HIPAA privacy and security rules were just a small part of the entire law, but have changed the way that covered entities protect the personal information of their patients. The Privacy Rule prevents a covered entity from passing along personally identifiable information in any form. The Security Rule sets up standards for covered entities in the creation and retention of electronic health records.