Even though the HIPAA (Health Insurance Portability and Accountability Act of 1996) was passed a decade and a half ago, confusion persists among healthcare providers, especially those holding smaller practices.
This confusion has prompted not only the modification and adaptation of HIPAA by new legislation, but also widened its scope by including HITECH (Health Information Technology for Economic and Clinical Health Act of 2009) for privacy and security protection of patients, as electronic healthcare transactions become the accepted norm.
Scope of HIPAA
Healthcare providers who are covered under HIPAA need to carry out their transactions electronically. In case, they transact in cash against paper billing, they may not become a covered entity under HIPAA.
Coming under the ambit of HIPAA will help healthcare providers in protecting not only their own privacy, but that of their employees and patients. Whether HIPAA is enforceable for a particular healthcare practice can be found out from the US Department of Health & Human Services (HHS) Office for Civil Rights. This body is responsible for enforcing HIPAA.
HIPAA contains two sections. One section deals with portability of insurance and the other, administrative simplification. The second section also contains HIPAA’s Privacy Rule.
HIPAA’s Privacy Rule
The Privacy Rule makes it incumbent on healthcare providers and others covered under HIPAA to keep confidential the information regarding their patients undergoing treatment. This information has been termed as Protected Health Information (PHI).
In addition to the usual information, such as patient’s name, address, phone number, social security number, etc., PHI also includes all the information related to patient’s health, treatments, prognosis, health insurance plan and payment.
Since PHI is confidential, it needs care in how it is disseminated, whether verbally, in writing or electronically. It is to be mentioned only for the purposes permitted by law and if medically essential. Even discussing a patient’s health on the phone, a healthcare provider needs to close the door and speak in hushed tones, just to safeguard the information. However, department to department transfer of test reports and communication regarding patients’ condition for the purposes of treatment are allowed under HIPAA.
HIPAA does not recognize lawyers, accounting firms and other such professionals as covered entities. Even outside services handling this confidential information need to sign a business associate contract to assure that they will adequately safeguard the patients’ private information.
HIPAA makes it essential for its covered entities to offer their patients a Notice of Privacy Practices (NPP). This gives privacy rights to the patients and spells out how the patients’ PHI may be used or disclosed.
Implementing PHI
It is mandatory for healthcare providers, who are covered entities under HIPAA, to depute a privacy and security officer to take up the responsibility for reviewing the regulations. This individual can be from among the healthcare providers.
It is the responsibility of this officer to carry out risk assessment and gap analysis of the office. This entails reviewing all systems and documents, such as medical records, desktops, laptops, tablets, smartphones and wherever healthcare information is stored and can be stored.
This exercise saves healthcare firms from government audits. In case, the healthcare provider fails to address a specific risk, he or she will need to justify this omission.
This is why it is important to hold regular privacy training for staff members. The resources and material for such training can be procured from the HHS Office for Civil Rights. In case, this process appears cumbersome, services of a consultant can be taken, who will provide appropriate training to the staff and guide the healthcare providers in implementing privacy measures.
Will technology safeguard PHI?
Some years back, email and electronic transfers of PHI of patients used to be safe, when sent with the disclaimer ‘this communication is only intended for use by the named recipient’. However, not anymore, since the information can today be easily hacked. To this end, experts suggest using some form of encryption software to protect electronic communications containing PHI of patients.
Conclusion
There is no way to protect PHI of patients, if the healthcare firms don’t adhere to HIPAA compliance. The two major steps that healthcare providers can take under HIPAA is to depute a privacy and security officer and go in for an encryption software.
