HIPAA: Where Do You Begin – The Need to Identify Individually Identifiable Health InformationMany health care providers are beginning to feel a gnawing anxiety about attempting to comply with the patient confidentiality requirements of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). I’ve even heard it said that "HIPAA compliance will dwarf fraud and abuse compliance." But as the Chinese proverb says, "the journey of a thousand miles begins with a single step." So, too, must we begin HIPAA compliance with a single step. Congress passed HIPAA in 1996. HIPAA contained many provisions designed to simplify the administration of health insurance by standardizing the electronic transmission of certain administrative and financial transactions as well as protecting the security and privacy of the transmitted information. The goal was to give patients greater access to their own medical records and more control over how their personal information is used. Regulations implementing the patient confidentiality provisions of HIPAA were recently issued in December of 2000. These regulations, designed to protect patients’ medical records by maintaining confidentiality and privacy will take effect within 2 years for health care providers. The gist of HIPAA is that there should be confidential transmissions of health information between health care entities. The HIPAA regulations apply directly to certain covered entities as well as directly to their business associates. Covered entities include health care providers, health care plans and health care clearinghouses that transmit health care information during certain transactions that are covered under the regulations. Business associates include any entity that performs a service on behalf of a covered entity whereby that service involves the use or disclosure of individually identifiable health information. Please note that the final regulations extend the privacy requirements to all individually identifiable health information held or disclosed by a covered entity in any form, whether communicated electronically, on paper, or orally. In addition, health care providers are required to obtain patient consent for the use and disclosure of protected health information when used for treatment, payment or health care operation. The final regulations issued by the U.S. Department of Health and Human Services, ("DHHS"), are intended to ensure quality of care. According to DHHS, the privacy regulations will still enable physicians and hospitals to have access to necessary medical information about a patient they are treating as well as still being able to consult with other physicians and specialists regarding a patients’ care. DHHS has also assured the health care industry that patient care will still be delivered in a timely and efficient manner and will not be unduly hampered by the regulation’s requirements surrounding consent forms. For example, pharmacists will still be able to fill prescriptions over the telephone. Health care providers will be most directly affected by the final regulations’ patient consent requirements. Under the final regulations, health care providers who see patients will be required to obtain patient consent before sharing their information for treatment, payment, and health care operations. In addition, separate patient authorization must be obtained for non-routine disclosures and most non-health care purposes. Patients will have the right to request restrictions on the uses and disclosures of their information. With few exceptions, such as appropriate law enforcement needs, a patient’s health information may only be used for health purposes. Health information covered under the final regulations may not, in general, be used for purposes that are not related to health care – such as disclosures to employers to make personnel decisions, or to financial institutions – without explicit authorization from the patient. In addition, disclosures of information will be limited to the minimum necessary for the purpose of the disclosure. This aspect of the final regulations, however, does not apply to the disclosure of medical records for treatment purposes because physicians, specialists, and other providers need access to the full record to provide quality care. I suggest that the place to start is to identify the location, disbursement and use of all individually identifiable health information. There are, when you stop to think about it, many potential identifiers. What follows is a list of 19 such potential identifiers:
The key question to ask yourself is: "How difficult would it be to identify the individual (patient/resident) from this information?" Our journey has begun! The next step: determining if the use and/or disclosure of this information meet the criteria of being either permitted or required. To be continued . . . For more information, please Call or E-mail |