1996, the Federal Government Passed

¶ … 1996, the Federal government passed the Health Insurance Portability and Accountability Act (HIPAA), which enacted new rules with respect to health care administration. In particular, HIPAA laid out specific requirements regarding the release of protected health information (PHI), with the intent of protecting the privacy of consumers.

This paper will examine HIPAA, and outline some of its effects on both consumers and health care facilities. Under HIPAA, those facilities are known as "covered entities." Among the issues covered under HIPAA are those of patient access -- the extent and the procedures; the limits of ROI; to whom and for what purpose covered entities may release information; rules regarding documentation; rules regarding training, recordkeeping and guidance on employee discipline.

Patient Access

One of the aspects of recordkeeping that HIPAA was designed to improve was patient access. Prior to HIPAA, states set their own procedures for the release of information (ROI). HIPAA was the first attempt to set a national standard for the release of PHI. This was done in part to stem the tide of medical identity theft. As result, patients only enjoy limited control over their health records.

One right they do have under HIPAA, however, is access to their own records. HIPAA specifically allows for individuals to gather their own health care information, and information about their family medical history (OCR, 2009).

Individuals wishing to access their health information can do so through the proper channels of their covered entity. This will require a formal release of information request (ROI) because HIPAA governs covered entities with respect to their release of information. They must verify the identity of the requester before releasing information. However, this can be conducted either in person or remotely via phone or fax, allowing greater flexibility for consumers with respect to gaining access to their health care information.

Non-Health Purposes

Consumers have little control over their health records. While technically they can request that limitations be placed over disclosure of their health records, covered entities are permitted under HIPAA to deny such requests. In practice, this happens frequently as entities such as Kaiser Permanente have policies strictly forbidding such restrictions on ROI, citing logistical difficulties (Francis, 2006).

Thus, there are many non-health purposes for which release of information is allowed under HIPAA. The Act categorizes such purposes as "health care operations" (OCR, 2009). These include purposes pertaining to public benefit, for example public health research, or health oversight activities (Ibid.). Public benefit can extend to family members as well, since doctors can request PHI on one member of the family to assist in treating other members.

PHI can also be used as part of the billing process. Covered entities are allowed to use PHI for both billing and business planning purposes. Another allowable disclosure is to the police, for example in the case of gunshot wounds, or in cases of suspected abuse. Additionally, covered entities may use PHI to conduct performance evaluations; for medical reviews and audits, including fraud and abuse detection programs; underwriting and other insurance functions; fundraising; de-identifying PHI.

Other non-health purposes allowed under HIPAA include marketing, as some consumers have reported targeted marketing efforts directly at them following diagnosis (Francis, 2006). In addition to such targeted marketing, communications can also pertain to information about participating providers in a provider network; and communications to direct the patient with respect to alternative treatments or providers. Also psychotherapy notes are allowed for both training purposes and to help a covered entity defends itself against legal proceedings brought by the patient (OCR, 2003).

Disclosures may also be made to prepare facility directories of patient information; to involve a person's family to become involved in health care (for example, to allow a husband to pick up a prescription for his wife); to coroners and funeral directors; for tissue or organ donation; for medical research; for worker's compensation; and for "essential government functions."

Written Policies

Covered entities must develop and implement written privacy policies that are consistent with the Privacy Rule (OCR, 2003). This policy must address several components. One is that there must be a privacy official. The privacy official is responsible for developing and implementing privacy policies. There must also be a contact person responsible for the receipt of complaints (Ibid.).

The written policy must also cover other key areas. These included workforce training, which should also include any employee under the direct control of the covered entity, even if they are under contract and not an employee of the entity. There must be data safeguards as well, so the written policy needs to include specific procedures for verification of identity, release of information and disposal of PHI.

There must also be a policy with respect to the handling of complaints. This procedure must be outlined in the notice that the patients receive. Under HIPAA, each of these different components must be included in the written policy, for the protection of both the covered entity and the consumer.

Training

Covered entities are responsible for training staff on the proper handling of protected health information. The term 'staff' includes all employees under direct control of the covered entity, regardless of their contract status. This includes employees of "business associates." Under most circumstances, covered entities are required to have a contract in place with business associates stipulating that the associates will adhere to HIPAA and other law surrounding the release of information with which the covered entity is entrusting them.

Thus, the covered entity is responsible for the development and implementation of a comprehensive ROI training program. The covered entity also bears all responsibility for recordkeeping. Records must be kept for six years after the last effective date, every record with respect to HIPAA, including the entity's own procedures, disposition of complaints and its privacy notices.

Each employee will need to receive training on both HIPAA and the company's own specific policies and procedures. Failure to train staff will lead to violations of HIPAA which can subject the covered entity to punishment. Because the entity is subject to punishment, they must take responsibility for discipline of employees. If an employee does not follow the rules, the covered entity must have a discipline structure that includes sanctions against the employee. Specific sanctions are not outlined in the regulations but must be