Just like nearly every industry, the healthcare industry can go through a lot of seemingly unnecessary paperwork. This is not to say the information on those documents is useless, just that with the advent of computers, that information can be stored in a more eco-friendly and cost effective manner. The original intent of the HIPAA act was to combat such waste of paper and similar natural resources. The acronym HIPAA stands for Health Insurance Portability and Accountability Act, and it was enacted in 1996. Of course, those of us who have ever had their personal computer hacked can attest, information on computers can be viewed by anyone with enough knowledge on how to bypass security measures to find it. While HIPAA undoubtedly was a good decision by eliminating waste and unnecessary costs the inherent security risks required to new privacy regulations overseen by the Department of Health Human Services.
About a decade ago, if you walked into any healthcare related business you were bombarded with forms for you to sign. All these forms were simple acknowledgements on your behalf that the company had a plan in place for protecting your personal health information. If you have questions about your rights under HIPAA the information below should help. The finer points of HIPAA are as followed:
- If you asked to show them their plan to protect your info, they are required by law to show you.
- They have to explain how they’ll disclose information.
- You can requests copies of health information and make appropriate changes.
- You may also ask for a history of any unusual disclosures.
- If a covered entity wishes to share your health information, they must first get your formal consent
- You have the right to file a formal complaint with the Department of Health and Human Services about any potential HIPAA violations
- Health information can only be used for health purposes. Unless you give consent, this info may not be used for financial matters or during the employment process
- When it is necessary to share health information, they should only share the minimum information needed
- Psychotherapy or similar records receive an added level of protection
What are Permitted Uses of Health Information?
There are six primary instances where a covered entity is permitted to use and disclose protected health information without the individual’s consent and are as follows:
1. Individual – Of course the health entity may disclose this information to the individual who is the subject of the information
2. Treatment, Payment, and Healthcare Ops – Under treatment, an entity may disclose info for its treatment or to facilitate info regarding a patient from one provider to another. Under payment, an entity may disclose info to obtain premiums, fulfill insurance requirements and reimburse for services. Under Healthcare Ops, an entity may disclose info for audits or legal purposes, quality control, competency assurance, and general business planning and development.
3. Opportunity to Agree or Object – Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree, acquiesce, or object. In the event the individual is incapacitated, the health entity may make a decision based on professional expertise on what is best for the patient. Information that may fall under this would be the health facility directory and for the notification of health information to family members.
4. Incidental Use and Disclosure – The Privacy Rule does not require that every risk of an incidental use or disclosure of protected health information is eliminated. A use or disclosure of this information that occurs as a result of, or as “incident to,” an otherwise permitted use or disclosure is permitted as long as the covered entity has adopted reasonable safeguards as required by the Privacy Rule, and the information being shared was limited to the “minimum necessary,” as required by the Privacy Rule.
5. Public Interest and Benefit Activity – The Privacy Rule permits use and disclosure of protected health information, without an individual’s authorization or permission, for 12 national priority purposes. Those are: Required by Law, Public Health Activities, Victims of Abuse/Neglect/Domestic Violence, Health Oversight, Judicial Proceedings, Law Enforcement, Decedents, Organ/Tissue Donation, Research, Threat to Health, Essential Government Functions, and Workers Compensation
6. Limited Data Set – A limited data set is protected health information from which certain specified direct identifiers of individuals and their relatives, household members, and employers have been removed. A limited data set may be used and disclosed for research, health care operations, and public health purposes, provided the recipient enters into a data use agreement promising specified safeguards for the protected health information within the limited data set.
The info above provides a brief overview of the HIPAA and in no way is meant to be all encompassing. For more information on HIPAA regulations and to learn about your rights and protections, you can visit HHS.gov or contact the U.S. Department of Health and Human Services.
About the author:
The writer, Brian Levesque, has worked in the medical industry in the past and is familiar with HIPAA regulations and the many way it protects privacy. One of these ways is by requiring the use of secure faxing service for patient information transmission, and you can find a selection of online faxing services that are HIPAA compliant by visiting Find-A-Fax. You can learn more about Brian on Google+.