HIPAA: The Nuts and Bolts

HIPAA details are elusive.  Medical providers verbally pass the word about HIPAA from provider to provider but no one actually reads the specifics of the law.  We all understand the basic gist of HIPAA, don’t disclose any patient information to anyone, but sometimes I have more specific questions about the mandate.  Can I tell patient stories to my friends if I don’t say the person’s name?  What about when the pharmacist calls about changing a medication- is it appropriate for me to name the patient’s diagnosis?  I have never actually read a single letter of the HIPAA law so I am doing so today to pick out the highlights.

The HIPAA law is divided into two main sections: Privacy Rule and Security Rule.  The Security Rule concerns how electronic health information is created, received, used and maintained to protect electronic and physical health information.  Essentially, the things IT and administration work with.  The Privacy Rule deals with what type of patient information is protected, how information is protected and how information can be used and disclosed.  As nurse practitioners, we are mostly concerned with the Privacy Rule so I will only discuss this section of HIPAA law in this post. 

The U.S. Department of Health and Human Services implemented HIPAA in 1996 to establish standards for the use and disclosure of personal health information.  the goal of the Privacy Rule portion of HIPAA law is to assure that individuals’ health information is properly protected while still allowing for some flow of information necessary within the healthcare system. 

Who Is Governed By the HIPAA Privacy Rule?

Three parties fall under the rule of HIPAA law: Health Plans, Health Care Providers, Health Care Clearinghouses

1. Health Plans- Individual and group health insurance plans (including health, dental, vision and prescription drug insurers) are required to protect patient information.  This also includes government halth plans such as Medicare and Medicaid. Insurance plans that do not fall under HIPAA law include plans such as worker’s compensation and life insurance even though these plans may have access to some of your personal medical information. 

2. Health Care Providers- That’s us!  Both individuals and organizations (ex. hospitals) are governed by HIPAA law.

3. Health Care Clearinghouses- Health care clearinghouses are entities that process medical information.  Institutions like billing companies, pricing companies, and health management information systems (EHR companies) must comply with HIPAA regulations.

Any employee of the institutions covered by HIPAA is also held accountable to the law.  For example, the waiting room coordinator for the ER where I work is responsible for complying to privacy laws because she is a hospital employee even though she is not technically a healthcare provider.

What Kind of Patient Information is Protected Under HIPAA?

The Privacy Rule protects all “individually identifiable health information” in any form whether oral, electronic or written.  It includes information regarding the individual’s past, present or future health condition, information concerning the provision of healthcare to the individual and information about past, present or future payment for the provision of healthcare to the individual.  The Privacy Rule specifies that any information specifically identifying the individual or for which there is reasonable basis to believe it can be used to identify the individual. 

There are no restrictions on the use of de-identified health information.  If enough qualifiers are removed in describing the medical situation so that there is reasonable basis to believe the individual cannot be identified, th information is not subject to HIPAA law. 

When Can You Disclose Patient Information?

Here’s the good stuff.  Healthcare providers and organizations are allowed to disclose private patient information without an individual’s consent for the following purposes or situations: to individuals themselves, in order to receive payment for healthcare services rendered, for the treatment activities of another healthcare provider, to other healthcare operations covered under HIPAA for competency/ quality assurance or fraud/ abuse detection.  In these situations, both entities sharing information must have or have had a relationship with the individual and the protected health information shared must pertain to the relationship. One exception to this rule involves the treatment of mental health patients.  Most uses and disclosures of psychotherapy information require authorization by the individual. 

Informal permission (not written) for sharing private health information under HIPAA is permitted.  Informal permission is acceptable if the patient is asked outright about information sharing or if the individual clearly has the opportunity to agree, acquiesce or object to the sharing of information. 

Healthcare providers and entities are required to disclose personal information to two situations: you must disclose health information to the individual it concerns especially when access is requested and to the U.S. Department of Health and Human Services when it is reviewing compliance or using the information for an enforcement action. 

In all other situations, authorization must be obtained in writing to disclose personal health information. 

What if the individual is unable to give consent for sharing health information?  

In an emergency situation or if an individual is incapacitated or otherwise unable to exercise judgement, health information can be disclosed if it is in the best interest of the individual. 

Are There Any Exceptions to Privacy of a Patient’s Health Information?

The government recognizes 12 situations in which protected health information can be disclosed without an individual’s consent.  These situations include: legal requirement (ex. court orders), public health activities (ex. to public health authorities for controlling disease), victims of abuse, neglect or domestic violence, health oversight activities (ex. to government benefit programs), judicial and administrative proceedings, law enforcement purposes, decedents (ex. funeral directors, medical examiners), research, serious threat to health or safety, essential government functions (ex. military operations, national security concerns), worker’s compensation.

Laws governing HIPPA are long and extensive.  I have tried to give a general outline here.  For more exhaustive information visit the Department of Health and Human Services Website.  While attempting to create a practical, concise outline of HIPPA law, I was left with this sentiment “Just don’t be nosy”.  If you mind your own business, use good judgement and act in the best interest of the patient, in most situations you will remain within the bounds of HIPAA law.   

Later this week, I will discuss the penalties for non-compliance with HIPPA.