In essence, HIPAA (Health Insurance Portability and Accountability Act) intended to protect the rights and confidentiality of people receiving medical treatment, in a healthcare environment that is becoming increasingly more technologically advanced.
These guidelines apply in every healthcare setting and to every patient. Working knowledge of the HIPAA law will assist you in understanding your role in maintaining the confidentiality of your patient’s medical information.
HIPAA's privacy and security provisions apply to 'covered entities.' A covered entity is any healthcare organization that conducts the transaction of confidential medical information in electronic form. This term applies to all members of the workforce of a healthcare organization. In addition, HIPAA states that “Business Associates” who may be independent contractors or separate service providers must also comply with HIPAA security provisions.
PHI refers to personal patient information that can be used to identify the patient, sometimes even inadvertently. Patients have the right to direct when, why and to whom PHI may be released.
In the past, aggregated patient information may have been collected for research, quality improvement or other purposes. Even though the patient’s name would be omitted, the patient may still be identifiable through specific data including date of procedure, type of procedure, gender or any number of other details. HIPAA allows patients much more control over PHI.
HIPAA requires healthcare professionals to maintain the privacy and confidentiality of all PHI. Privacy is the individual’s right to decide who, when and how information about him or herself is disclosed. Confidentiality is the obligation of another to maintain the person’s privacy.
Upon entering a healthcare organization, the patient is given information about how the organization will protect the privacy of the patient and what types of information will be shared and under what circumstances (generally related to the current care of the patient). This is called the Notice of Privacy Practices and is required by HIPAA to be given to all patients.
Patient information that is protected includes, but is not limited to, the patient’s name, address, telephone number, age, diagnosis, surgery, date of procedure, and medications. Beyond this, additional information that is protected includes any medical history information, results of physical examinations, laboratory and other diagnostic results, billing records, and claim forms. Any information that could be used to identify the patient is protected under HIPAA.
Patients have a right to request restrictions on the information shared as long as it is not related to the course of treatment. Patients can specify where and how the communication of confidential information is handled.
Patients have the right to inspect, review and receive a copy of their PHI. Patients may also request an amendment or change in the content of the PHI if they believe there is an error or have another concern about the contents of the record. The provider has the right to accept or deny this request.
Notice of Privacy Practices
Every patient must be given a “Notice of Privacy Practice” (NPP) document. This describes to the patient how the organization will use and disclose their medical record information. The patient signs that they have received a copy of this notice. This notice is given once only, and a single privacy notice covers all pharmacies in a chain or all departments in a hospital. If the patient is unable to sign the NPP, the reason is documented. If signed by another person, the relationship of the person signing is documented as well.
This Notice of Privacy Practices essentially replaces the patient's signed consent. Once a Notice of Privacy Practices has been received and signed by the patient, it is no longer necessary for a healthcare professional to obtain additional consents or authorizations for any disclosures of PHI in the normal course of events.
If the patient does have any additional privacy requests, they should be documented on the privacy notice at the time of initial signing. Healthcare professionals should document these requests in the patient's records.
Minimum Necessary Concept
HIPAA requires healthcare professionals to make their best efforts to protect patient's privacy by sharing the least amount of information necessary to provide care. In other words, HIPAA limits the use and disclosure of personal health information to a "minimum necessary" standard for any communications other than the purpose of treatment. This ensures that patient privacy will be protected by disclosing only the least amount of information necessary for another healthcare professional to perform their job.
Requests for Access to Records
HIPAA outlines the requirements for sharing and reviewing medical records. Release of medical records can occur if the patient completes a HIPAA-compliant authorization form.
There are guidelines for when authorization is required and is not required. Authorization is not required when information is related to patient treatment issues. Authorization would be required to share PHI for life insurance review or to send lab reports to another entity.
The authorization includes the specifics of the PHI to be shared, the persons disclosing and receiving the information, expiration date, and the right to revoke.
Emails Regarding Patients
HIPAA requires that all emails must be encrypted; that is, coded as they are transmitted and then "decoded" at the receiving end.
Encryption is fairly standard for email transmissions in healthcare settings.
Guidelines for Releasing Information
Patients have a right to receive a copy of their medical and pharmacy records within 30 days of receipt of a written request. This time period may be extended an additional 30 days if a valid reason is given for the delay.
Under HIPAA law, patients have the right to request a list of any instances, going back a period of 6 years or less, in which their information was disclosed to anybody outside the realm of treatment, payment or regular operations. This requires the maintenance of confidential record keeping for a minimum period of 6 years.
Once requested by a patient, the healthcare professional will have 60 days in which to provide the patient with an accounting of these disclosures, including the date, name, and address of the person to whom the information was given, a brief description of the disclosure, and the reason for it. This is for non-routine uses only. However, a healthcare professional does not have to account for disclosures that concern treatment, billing, or accounting or for any disclosures made pursuant to receiving patient authorization.
When No Information is Released
In general, any patient receiving care for substance abuse, psychiatric disorder, HIV, pregnancy, sexual abuse, or rape is treated with an even greater level of confidentiality. Confirmation of the patient’s treatment is generally prohibited. This means that if a call is received asking about a particular patient, no comment should be made as to whether the patient is even seeking treatment or being treated. Check with your organization's HIPAA policy for exact terminology.
Additionally, a patient may request to NOT be in the patient directory and the same standard would be in
HITECH Act of 2009
In anticipation of a massive expansion in the exchange of electronic protected health information (ePHI), the HITECH Act widens the scope of privacy and security protections available under HIPAA.
HIPAA guidelines are in place to protect your patient. Remember that each organization has the discretion to design policies and procedures within its system that meet the HIPAA guidelines but also provide a "fit" for the organization.
Although you may see variations in policies at different organizations, you will recognize that the overall intent is to improve the protection of patient confidentiality in a healthcare environment that includes a lot of technological advances.
Review the specifics of your organization's policies and procedures to be certain that you know how to protect confidential medical information.
Additional information can be accessed at the HIPAA website at: http://www.hhs.gov/ocr/privacy.
For additional HIPAA information, please visit the Centers for Medicare and Medicaid Services website at: http://www.cms.hhs.gov/hipaaGenInfo/.
* HIPAA Survival Guide (2012). HITECH Act Summary. Retrieved August 28, 2012 from:
* HIPAA Survival Guide's Table of Contents: http://www.hipaasurvivalguide.com/hipaa-survival-guide-toc.php
* US Department of Health & Human Services (2011). HIPAA for Professionals - https://www.hhs.gov/hipaa/for-professionals/index.html