Issue 3 - February 2003

Ask Deborah Green
HIPAA protects patient privacy

Q Please explain about HIPAA and what I need to know about it.

A HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. One of HIPAA’s purposes is to protect the privacy of people’s individually identifiable health information. That information can be a health record or something as simple as a person’s name released in a manner that allows someone else to learn private health information. The rules cover all forms of communication that may contain protected health information (PHI).

The HIPAA privacy rules cover all individually identifiable health information in any form, electronic or non-electronic, held or transmitted by a health care organization. This information includes both electronic records and paper records that have never been electronically stored or transmitted. (The proposed security regulation covers only electronic information, but there is a possibility that the final rule will include all records.)

• Health information. The Department of Health and Human Services (HHS) defines health information as any information, oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school, university or clearinghouse; and/or relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present or future payment for health care of an individual.

• Individually identifiable. This includes demographic information collected from an individual that identifies an individual or could reasonably be used to identify the individual. The concept of individually identifiable goes beyond information that may directly identify an individual, such as a name.

There is no listing of covered information as HHS has declined to list any specific types of information that are covered – such as health records or genetic information – to emphasize the importance of protecting them. It points out that doing so might wrongly imply that anything not on the list was not covered.

Individuals have numerous rights under the HIPAA privacy regulations. All of these rights support the primary right that is behind every rule and provision in these rules – the right to privacy.

The pre-use rights start with the Notice of Privacy Practices and involve various levels of acknowledgment that a privacy notice was received and authorized, and requested restrictions from the individual.

The post-use rights begin with the accounting process and permit individuals to access and amend their own records and ultimately complain about alleged failures to protect or account for disclosures of PHI. Finally, there also are rules to protect the individual against actions by a health care organization in a dispute.

Physical safeguards also must be put in place in order to safeguard information from physical access by unauthorized people using a computer terminal, opening a file cabinet or even overhearing a conversation.

While there are no mandated rules concerning particular procedures to be put in effect, you are required to use common sense to ensure privacy. For example, lock file cabinets, if you have an open treatment room (which I strenuously discourage for a variety of reasons), do not discuss health information with your patient there but wait until you are in the privacy of your office.

Make certain that you have physical safeguards for electronic data, including placement of computer workstations in secure areas and implementing written procedures to use or remove hardware and software.

If you require clarification on these questions or have any questions will regard to other legal health-care issues, please contact the law office of Deborah Green. Her number is 954-236-8282; fax, 954-236-6939; or e-mail, healthattorney@aol.com. She will answer questions in this column that are of interest to the broadest audience.

LEGAL DISCLAIMER: Because this column is being presented to you by an attorney, it would not be complete without a legal disclaimer. This column is provided subject to and governed expressly by the terms of this disclaimer. This column is provided for educational purposes only. The accuracy or timeliness of the information presented herein is not warranted. The information presented herein is not intended to be advice as to a specific fact pattern with which you may be presented. Accordingly, please note that the information contained herein is not being presented as legal advice with respect to any matter and that no attorney-client relationship is hereby established.