The Health Insurance Portability and Accountability Act of 1996 is changing the practice of health care and the dissemination of health care information. The law affects numerous types of organizations and entities. HIPAA’s primary targets are health insurance companies/ sponsors and providers of health care services, along with entities that interact with them and have access to health care information.
The health insurance portability portion of HIPAA, in effect for several years, protects health insurance coverage for workers and their families when they change or lose their jobs. Other aspects of the regulations address "administrative simplification," or electronic data interchange, health information privacy and security. These are the provisions that affect UW Health and other "covered entities."
Currently, only two compliance dates have been set: October 2002 for the electronic data interchange requirements and April 2003 for the privacy rules. Entities may apply for a one-year extension to meet the electronic data interchange requirements.
The privacy rules require us to adopt and enforce comprehensive confidentiality policies and to obtain patient permission before using or disclosing personal medical information. Additional rules that address security requirements are expected, but they will not take effect until two years after the rules are published.
Who does HIPAA affect?
HIPAA applies to "covered entities," defined by the act as:
- Health Plans – virtually every private or public, state or federal health insurer and health plan that provides or pays the cost of medical care, including HMOs, PPOs, most self-administered group plans, state plans, Medicare and Medicaid.
- Health Care Providers – institutions, such as hospitals, clinics, nursing homes and pharmacies; as well as individual providers, such as physicians, nurses, therapists and pharmacists; and any other provider of medical information or health services.
- Health Care Clearinghouses – organizations that process or help process health information for another covered entity, such as a billing service or a claim filing service.
In addition, HIPAA requires covered entities to identify their "business associates," defined as outside vendors that work on behalf of a covered entity and have access to personal health information. UW Health is required to have a written contract with all business associates (as defined by HIPAA) requiring those associates to also protect and keep confidential all patient health care information.
What information is protected?
HIPAA mandates that all "individually identifiable health information" be "protected health information." It does not matter if the information is on paper, in electronic format or verbal – it must be kept confidential. This applies to all past, present or future physical or mental health care information.
"Individually identifiable information" is any information that could be used, alone or with other readily available information, to identify an individual (see below). UW Health could not, for example, call and leave a reminder on an answering machine that a particular person has a radiology appointment, because someone other than the patient may have access to the answering machine.
These rules apply not only to health plans and providers, but also to plan sponsors. Employers, associations and other health plan sponsors cannot access employee/patient health information unless they have written consent from the individual. Without consent, access is limited to basic or general information only.
Another provision of the privacy rules state that access to health information must be limited to that which is minimally necessary to do the task at hand. This rule does not apply to a provider who discloses information for the purpose of treatment (e.g., a primary care physician reveals information to a referral specialist). It means, however, that UW Health must look at its electronic systems to limit information to certain groups of employees. A receptionist, for example, would not need access to a patient’s complete medical history. Efforts to meet HIPAA provisions are underway throughout UW Health. April 2002
Individually identifiable information is protected health information
If a person’s individual health information is linked with any of the following unique identifiers relating to the patient or the patient’s relatives, employers or household members, it is protected information:
- Address or parts of an address
- Birth date, hospital admission or discharge date, or other dates that are "directly related to an individual"
- Telephone or fax number
- E-mail address or URL
- Social Security number
- Medical record number
- Account number
- Health insurance plan ID number
- License or certificate number
- Driver’s license number or vehicle license plate
- Fingerprint, voiceprint, or other such identifier
- Photograph or image
- Any other unique identifying number, characteristic or code
A patient’s chart is left on a desk in a public area in a clinic (e.g., the oncology or dermatology clinic). This is a breach of confidentiality because it links the patient’s name to health care information (patient is seeing an oncologist or a dermatologist).
In some cases, this may not matter to a particular patient, but in other cases it may. Whether it matters to the patient or not, it is still a breach of confidentiality and the HIPAA requirements.