HIPAA Administration Simplification
(part 3)by A. Maureen Hanna
HIPAA Administration Simplification
(part 3)
by A. Maureen Hanna
In the last two months issue we provided you with an overview of the Health Insurance Portability and Accountability Act (HIPAA) of 1996, specifically the section that is referred to as Administration Simplification. As of writing of this article, many of the details of this Act have not yet been released. However, the information below should provided providers with a summary of some of the rules and considerations that provider will need to keep in mind as the Act is implemented in the next year.
Proposed Standards for Privacy of Individually Identifiable Health Information
HIPAA requires the Secretary of HHS to promulgate a series of standards relating to the electronic exchange of health information. Collectively these are known as the Administrative Simplification provisions. In addition to those standards, the Secretary was required to develop and submit to the Congress recommendations for the privacy rights that an individual who is a subject of individually identifiable health information should have, the procedures that should be established for the exercise of such rights, and the uses and disclosures of such information that should be authorized.
On September 11, 1997, the Secretary presented to the Congress her Recommendations for protecting the "Confidentiality of Individually-Identifiable Health Information" (the "Recommendations"), as required by section 264 (a) of HIPAA. In those Recommendations, the Secretary called for new federal legislation to create a national floor of standards that provide fundamental privacy rights for patients, and that define responsibilities for those who use and disclose identifiable health information.
The Secretary's Recommendations set forth the framework
for federal privacy legislation. Such legislation should:
Allow for the smooth flow of identifiable
health information for treatment, payment, and related operations,
and for specified additional purposes related to health care that
are in the public interest.
Prohibit the flow of identifiable
information for any additional purposes, unless specifically and
voluntarily authorized by the subject of the information.
Put in place a set of fair information practices that allow individuals
to know who is using their health information, and how it is being
used.
Establish fair information practices
that allow individuals to obtain access to their records and request
amendment of inaccurate information.
Require persons who hold identifiable health information to safeguard
that information from inappropriate use or disclosure.
Hold those who use individually identifiable
health information accountable for their handling of this information,
and to provide legal recourse to persons harmed by misuse.
The Recommendations call for legislation that applies to health
care providers and payers who obtain identifiable health information
from individuals and, significantly, to those who receive such
information from providers and payers. The Recommendations follow
health information from initial creation by a health plan or health
care provider, through various uses and disclosures, and would
establish protections at each step.
Entities Covered
The provisions of this proposed rule apply to health
plans, health care clearinghouses, and to any health care provider
who transmits health information in electronic form.
Protected Health Information
The proposal applies the requirements of this rule
to the subset of individual identifiable health information which
is maintained or transmitted by covered entities and which is
or has been in electronic form. The provisions of the rule would
apply to the information itself, referred to as protected health
information in this rule, and not to the particular records in
which the information is contained. Once information has been
maintained or transmitted electronically by a covered entity,
the protections would follow the information in whatever form,
including paper records, in which it exists (while it is held
by a covered entity).
General Rules
The purpose of the proposal is to define and limit
the circumstances in which an individual's protected heath information
may be used or disclosed by others. The Secretary proposes to
make the use and exchange of protected health information relatively
easy for health care purposes, and more difficult for purposes
other than health care.
Covered entities would be prohibited from using or disclosing
protected health information except as provided in the proposed
rule. Under the rule, covered entities could:
1. Use or disclose protected health
information with individual authorization.
2. Could use or disclose protected
health information without authorization for treatment, payment
and health care operations as provided and defined in the proposal
3. Be permitted to use or disclose a patient's protected health
information without authorization for specified public and public
policy-related purposes, including public health, research, health
oversight, law enforcement, and use by coroners.
4. Be permitted to use and disclose
protected health information when required to do so by other law,
such as mandatory reporting under state law or pursuant to a search
warrant.
5. Be required by this rule to disclose protected health information
for only two purposes: to permit individuals to inspect and copy
protected health information about them and for enforcement of
this rule.
The proposal, most uses and disclosures of an individual's protected health information would not require explicit authorization by the individual, but would be restricted by the provisions of the rule. The rules would create a sphere of privacy protection that includes covered entities that engage in treatment or payment, and the business partners they hire to assist them. While written consent for these activities would not be required, new restrictions on both internal uses and external disclosures would be put in place to protect the information.
 |
 |
 |
 |
 |
 |
 |
 |