In 1996, the Federal Government enacted the Health Insurance Portability and Accountability Act (“HIPAA”) which took effect in April of this year. HIPAA was promulgated in response to the privacy concerns that were arising due to the increase in electronically transferred medical information and the ease with which that information could be obtained by unintended parties, as well as a perceived need that a single national standard was needed to protect the privacy of individuals’ health information. The goal of HIPAA is to balance the keeping of individuals’ health information private with other social benefits such as healthcare and research which requires general availability. The primary objectives of the HIPAA are:
- to give consumers access to their health information while giving them control over who can use and disclose it;
- to improve healthcare quality by restoring public trust and willingness to give information; and
- to improve efficiency and effectiveness by creating a nationwide privacy network.
HIPAA rules apply to “covered entities” which are organizations that transmit health information such as health plans, healthcare clearing-houses and healthcare providers which include hospitals, pharmacies, nursing homes, doctors and clinics. Covered entities must now follow strict procedures before transmitting any “protected health information” (PHI) which includes “individually identifiable health information” regarding a person’s physical and mental health. Identifiable information is demographic information that can reasonably be used to identify an individual.
HIPAA does not protect health information for a patient’s treatment, payment or healthcare operations. Health information may be released to a patient’s family and others when it is determined that it is in the patient’s best interest. HIPAA protects consumers from disclosure of their PHI outside what is necessary for treatment, payment or healthcare operations. In addition there are certain situations when PHI can be transmitted and used. PHI can be released if the patient has authorized its use for a specified purpose; however the authorization must be in writing, and signed, and the patient has the right to revoke it at any time. Health information can be used if it is altered so that no single person is identifiable. Researchers can review PHI only as needed to prepare reports, protocols, etc. They can use PHI data that excludes direct identifiers when preparing and publishing studies. PHI of decedents may be used for research purposes and there is a grandfather provision that exempts its application to research that had begun before April 14, 2003.
PHI can be released to Public Health Authorities authorized to collect information to prevent/control disease. The Food and Drug Administration (“FDA”) may also use the information for purposes related to the quality, safety or effectiveness of an FDA-regulated product or activity. Courts and grand juries can order warrants, subpoenas or summons for PHI to aid victims of abuse, neglect or domestic violence.
HIPAA gives patients the right to obtain their medical information and control how it is used and disclosed. The rule adds a new layer of privacy protections by regulating on a national level how health information is handled. Authorizations will become required more frequently than they have in the past. It is expected that HIPAA will indirectly affect entities that rely on the health information because of the authorization requirement, and the mandatory removal of personal identifiers will slow down the transmission PHI needed by such entities.
The added documentation and bureaucracy may be burdensome for some; however, at a time when our individual rights and privacy seem to be declining, and personal information is increasingly available to almost anyone who is computer literate, we can take some comfort in legislation such as HIPAA. It may not be the ultimate solution to privacy concerns, but it helps.
— J.K. Butera