In 1996, Congress passed the Health Insurance Portability and Accountability Act, commonly referred to as HIPAA. One component of HIPAA is designed to streamline the process to exchange information electronically for claims reimbursement.
It was believed that making it easier to share patient information increased the risk of unauthorized disclosures. As a result, HIPAA also required that privacy rules be developed to protect health information.
The HIPAA Privacy Rule went into effect in April 2003 and creates a federal standard for protecting the privacy of health information, which is in addition to existing state laws. The Privacy Rule requires USC to continue to comply with California laws that provide extra protection to patients and includes civil and criminal penalties for non-compliance.
What does the Privacy Rule require?
The Privacy Rule prohibits the use or disclosure of “protected health information,” or PHI, unless the patient has signed a specific authorization. PHI is defined in the Privacy Rule as any health information created or received by a health care provider that: (1)identifies an individual; and (2) relates to that individual’s past, present or future physical or mental health condition or to payment for health care. Protected health information includes information in any form or medium, from a paper medical record to a fax authorization or referral to a conversation between colleagues consulting on the care of a patient.
An authorization is not required for the following, provided the patient has acknowledged receipt of a Notice of Privacy Practices:
- To treat the patient
- To get paid for services
- To conduct health care operations (for example, quality assurance, credentialing, audits, compliance monitoring)
- Patient information also can be given to patient caregivers (for example, family members), but only if the patient expressly or impliedly consents.
- Certain disclosures also can be made by a health care provider without patient authorization to accomplish public policy objectives (for example, to report child or elder abuse).
Any other disclosure (such as for research, fundraising or marketing) may only be made if the patient specifically authorizes the disclosure in writing. An authorization is a customized document that requests permission from the patient to use protected health information for specific purposes and for a specific time period.
As a general rule, even if a disclosure is permitted under the Privacy Rule, it must be limited to the minimum amount of information necessary.
The HIPAA Privacy Rule also gives patients expanded rights to access their medical and billing records, request amendments to those records and obtain an accounting of disclosures of protected health information.