Unfortunately, this medical assistant is part of a growing legion of women and men who act individually, or as part of crime rings, to purchase items and secure loans using someone else's credit. Identity theft-along with insurance, lending, and employment refusals that can stem from the sharing of diagnostic and genetic information-has created a groundswell of consumer concern about information privacy. It is this outcry that prompted Department of Health and Human Services (HHS) Secretary Tommy G. Thompson to ratify the Health Insurance Portability and Accountability Act (HIPAA) privacy standard earlier this year. The standard takes aim at medical records because these records, with their plethora of identifying patient information, are a valuable target for sophisticated information criminals.
To ensure compliance by the April 14, 2003 due date, you'll need to understand exactly what the standard requires. In the following pages, we'll break down the regulation and put it into ?plain English' to help you understand exactly what it will mean for your facility.
The privacy standard is just one component of the broader, four-part HIPAA law passed in 1996. Overall, HIPAA has two main objectives: To ensure the privacy and security of health information, and to simplify the administrative burden on providers and insurers. To date, the HHS Secretary has signed off on two of the four HIPAA standards: The privacy standard and the transaction and code set standard (see sidebar). The two remaining parts are:
- The security standard, which aims to ensure the security of electronic medical information and will overlap with the privacy standard,
- National identifier standards, which simplify electronic transactions by assigning universal ID numbers to providers, health care plans, and employers.
The Privacy Standard
The HIPAA privacy rule aims to reign in unnecessary sharing of medical information, reduce medical record accessibility (to everyone except patients), give patients control over their health information, and make providers more accountable when they unnecessarily obtain or disclose private health data. Because the privacy standard applies to all providers that use electronic transactions (whether directly or through third parties), essentially all outpatient facilities are subject to it. Importantly, the standard does not apply only to electronic transactions. It applies to any form of "identifiable" health information-including written records, oral communications (e.g., intercoms, general conversations, telephone calls), and electronic transactions (e.g., e-mails, computer records, faxes). The regulation considers medical information "identifiable" when it contains the patient's name, address, birth date, or anything else that can be used to identify the patient. If you remove these identifiers, the record loses its HIPAA protection and you can freely disclose the data. However, codes or encryption keys for tracing the data back to the patient are also considered identifiers.
The privacy standard, which mandates compliance by April 14, 2003, generally requires outpatient facilities to do the following six things:
- Fully inform patients how you may use their medical information.
You must give all patients a clear, written explanation of how you typically use or disclose their medical information via a "Notice of Privacy Practices for Protected Health Information." The notice must contain six elements (see HIPAA Checklist). "Basically, this is a re-working of the statement of rights and responsibilities," notes Sandra J. Jones, managing partner with Ambulatory Strategies, Inc. HIPAA law requires providers to prominently post the notice, post it electronically on web sites or via e-mail if you have these capabilities, and have paper copies available.