Health Insurance Portability and Accountability Act (HIPAA)

¶ … Health Insurance Portability and Accountability Act (HIPAA) of 1996 provided for the better management of health information as well as increased health coverage for target entities. Of particular emphasis the law has is the privacy and security of health information. Prior to the implementation of HIPAA, there was an ad hoc management of health information and health coverage is very limited. Often disparate policies and standards are used from one medical institution to another or by the different private and public organizations. HIPAA provided the standards and detailed how health information should be protected to ensure the confidentiality, integrity, and availability thereof depending on the given situation. In particular, HIPAA details a patient's access to his or her medical records based on the general principles for disclosure. Two guiding principles cover disclosure and not only to patients but to covered entities; these principles are: "(a) to individuals (or their personal representatives) specifically when they request access to, or an accounting of disclosures of, their protected health information; and (b) to HHS when it is undertaking a compliance investigation or review or enforcement action (U.S. Department of Health & Human Services [DHHS], 2003)." This means that the patient have full rights to his or her health information and also the recipient thereto. The disclosure of the health information though can only be allowed with the written authorization of the patient or authorized representative.

The usage of health information is not only confined to matters pertaining to health and medicine. The HIPAA provided several provisions on where health information can be used in non-health matters and there are 12 circumstances thereto which are: (1) required by law; (2) public health activities; (3) victims of abuse, neglect or domestic violence; (4) health oversight activities; (5) judicial and administrative proceedings; (6) law enforcement purposes; (7) decedents; (8) cadaveric organ, eye, or tissue donation; (9) research; (10) serious threat to health or safety; (11) essential government functions; and (12) workers' compensation (DHHS, 2003). The circumstances or provisions are not automatically applicable because the HIPAA requires written authorization from owner of health information prior to the usage of health information for non-health care purposes.

Part of the administrative requirements of HIPAA is the development and implementation by covered entities of written privacy policies and procedures that are consistent with the Privacy Rule. Several issues need to be addressed in said policies and procedures; thus covered entities will need to go over every details of the Privacy Rule of HIPAA. Once policies and procedures have been developed and implemented, the contents thereof will need to be cascaded to the staff of covered entities. One way of dissemination is via training and during the training, the participants will be made aware of the sanctions available should they breach the HIPAA Privacy Rule and policies of the covered entity. Based on the Privacy Rule requirements of HIPAA with regards to workforce training and breach of policy, the provision states: "A covered entity must train all workforce members on its privacy policies and procedures, as necessary and appropriate for them to carry out their functions. A covered entity must have and apply appropriate sanctions against workforce members who violate its privacy policies and procedures or the Privacy Rule. (DHHS, 2003)" Everything is clear and understandable with HIPAA and it is up to covered entities to comply.