HIPAA Privacy

HIPAA Privacy LawsPrivacy is a highly valued commodity and one that used to be taken for granted.  In this day and age of the internet and other advanced technological tools, privacy can be harder and harder to protect.  It was under these evolving circumstances that Congress determined it was necessary to begin legislating privacy rules and guidelines at least in some domains.  From this HIPAA privacy rules were born in 1996.

The HIPAA Privacy Rule took effect in 2003.  The legislation held that covered entities (including most healthcare providers, health plans, and healthcare clearing houses) must take certain measures to protect the privacy of the individuals with whom they did business.  The information that must be kept private was termed Protected Health Information (PHI).   This nebulous phrase includes any information that in some way may identify the patient or their health and history such as:

  • Names
  • Social security numbers
  • Contact information
  • Conversations between a doctor and a patient about care or treatment
  • Prescription information
  • Billing information
  • Information contained in a patient’s health record
  • Patient’s insurance information

Protecting an individual’s privacy per HIPAA requirements is more than just keeping a patient’s chart closed when other patients are around.  Each entity should identify and appoint a privacy officer to oversee the privacy measures put in place and practiced at their location.  The privacy officer should train all employees on standard protocol and changes to procedures.  Various precautions should be taken to ensure the privacy of each individual.  Some of these precautions really are as simple as keeping patient charts closed and hidden from the view of other patients.  Staff members should only access the information they need to use to complete their job.  Nurses, for example, have little need to see the billing information of a patient they are treating though another employee may need that information but not the treatment information.  Requiring passwords to access information stored on computers and locking cabinets or rooms that contain PHI also help achieve the HIPAA privacy laws.

The HIPAA Privacy Rule also dictates when PHI can be disclosed and to whom.  Patients must be privy to their own PHI and if they request to see any part of their own information, the covered entity must provide them with the information within 30 days.  The Privacy Rule also requires that PHI be disclosed at other times when it is required by law, such as in cases of suspected child abuse.  Covered entities may also disclose PHI to facilitate treatment and payment so long as they have authorization from the individual.

The extent to which covered entities must go to protect an individual’s PHI can vary depending on the type of business operation it is.  Researching HIPAA privacy law and trying to make sense of it all can be daunting and sometimes even dangerous if understood incorrectly.  It is best to seek help in creating the HIPAA privacy procedures.  One source of help is the HIPAA Software that allows you to create a personalized HIPAA Policies and Procedures manual specific to the needs and practices of your covered entity.