HIPAA stands for Health Insurance Portability and Accountability Act. When I hear people talking about HIPAA, they are usually not talking about the original Act. They are talking about the Privacy Rule that was issued as a result of the HIPAA in the form of a Notice of Health Information Practices.
The United States Department of Health & Human Services official Summary of the HIPAA Privacy Rule is 25 pages long, and that is just a summary of the key elements. So as you can imagine, it covers a lot of ground. What I would like to offer you here is a summary of the basics of the Privacy Rule.
When it was enacted in 1996, the Privacy Rule established guidelines for the protection of individuals’s health information. The guidelines are written such that they make sure that an individual’s health records are protected while at the same time allowing needed information to be released in the course of providing health care and protecting the public’s health and well being. In other words, not just anyone can see a person’s health records. But, if you want someone such as a health provider to see your records, you can sign a release giving them access to your records.
So just what is your health information and where does it come from? Your health information is held or transmitted by health plans, health care clearinghouses, and health care providers. These are called covered entities in the wording of the rule.
These guidelines also apply to what are called business associates of any health plans, health care clearinghouses, and health care providers. Business associates are those entities that offer legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services.
So, what does a typical Privacy Notice include?
- The type of information collected by your health plan.
- A description of what your health record/information includes.
- A summary of your health information rights.
- The responsibilities of the group health plan.
Let’s look at these one at a time:
Information Collected by Your Health Plan:
The group healthcare plan collects the following types of information in order to provide benefits:
Information that you provide to the plan to enroll in the plan, including personal information such as your address, telephone number, date of birth, and Social Security number.
Plan contributions and account balance information.
The fact that you are or have been enrolled in the plans.
Health-related information received from any of your physicians or other healthcare providers.
Information regarding your health status, including diagnosis and claims payment information.
Changes in plan enrollment (e.g., adding a participant or dropping a participant, adding or dropping a benefit.)
Payment of plan benefits.
Case or medical management.
Other information about you that is necessary for us to provide you with health benefits.
Understanding Your Health Record/Information:
Each time you visit a hospital, physician, or other healthcare provider, a record of your visit is made. Typically, this record contains your symptoms, examination and test results, diagnoses, treatment, and a plan for future care or treatment.
This information, often referred to as your health or medical record, serves as a:
Basis for planning your care and treatment.
Means of communication among the many health professionals who contribute to your care.
Legal document describing the care you received.
Means by which you or a third-party payer can verify that services billed were actually provided.
Tool in educating health professionals.
Source of data for medical research.
Source of information for public health officials charged with improving the health of the nation.
Source of data for facility planning and marketing.
Tool with which the plan sponsor can assess and continually work to improve the benefits offered by the group healthcare plan. Understanding what is in your record and how your health information is used helps you to:
Ensure its accuracy.
Better understand who, what, when, where, and why others may access your health information.
Make more informed decisions when authorizing disclosure to others.
Your Health Information Rights:
Although your health record is the physical property of the plan, the healthcare practitioner, or the facility that compiled it, the information belongs to you. You have the right to:
Request a restriction on otherwise permitted uses and disclosures of your information for treatment, payment, and healthcare operations purposes and disclosures to family members for care purposes.
Obtain a paper copy of this notice of information practices upon request, even if you agreed to receive the notice electronically.
Inspect and obtain a copy of your health records by making a written request to the plan privacy officer.
Amend your health record by making a written request to the plan privacy officer that includes a reason to support the request.
Obtain an accounting of disclosures of your health information made during the previous six years by making a written request to the plan privacy officer.
Request communications of your health information by alternative means or at alternative locations.
Revoke your authorization to use or disclose health information except to the extent that action has already been taken.
Group Health Plan Responsibilities:
The group healthcare plan is required to:
Maintain the privacy of your health information.
Provide you with this notice as to the planâEUR(TM)s legal duties and privacy practices with respect to information that is collected and maintained about you.
Abide by the terms of this notice.
Notify you if the plan is unable to agree to a requested restriction.
Accommodate reasonable requests you may have to communicate health information by alternative means or at alternative locations. The plan will restrict access to personal information about you only to those individuals who need to know that information to manage the plan and its benefits. The plan will maintain physical, electronic, and procedural safeguards that comply with federal regulations to guard your personal information. Under the privacy standards, individuals with access to plan information are required to:
Safeguard and secure the confidential personal financial information and health information as required by law. The plan will only use or disclose your confidential health information without your authorization for purposes of treatment, payment, or healthcare operations. The plan will only disclose your confidential health information to the plan sponsor for plan administration purposes.
Limit the collection, disclosure, and use of participant’s healthcare information to the minimum necessary to administer the plan.
Permit only trained, authorized individuals to have access to confidential information.
Other items that may be addressed include:
Communication with family. Under the plan provisions, the company may disclose to an employee’s family member, guardian, or any other person you identify, health information relevant to that person’s involvement in your obtaining healthcare benefits or payment related to your healthcare benefits.
Notification. The plan may use or disclose information to notify or assist in notifying a family member, personal representative, or another person responsible for your care, your location, general condition, plan benefits, or plan enrollment.
Business associates. There are some services provided to the plan through business associates. Examples include accountants, attorneys, actuaries, medical consultants, and financial consultants, as well as those who provide managed care, quality assurance, claims processing, claims auditing, claims monitoring, rehabilitation, and copy services. When these services are contracted, it may be necessary to disclose your health information to our business associates in order for them to perform the job we have asked them to do. To protect employee’s health information, however, the company will require the business associate to appropriately safeguard this information.
Benefit coordination. The plan may disclose health information to the extent authorized by and to the extent necessary to comply with plan benefit coordination.
Workers compensation. The plan may disclose health information to the extent authorized by and to the extent necessary to comply with laws relating to workers compensation or other similar programs established by law.
Law enforcement. The plan may disclose health information for law enforcement purposes as required by law or in response to a valid subpoena.
Sale of business. If the plan sponsor’s business is being sold, then medical information may be disclosed. The plan reserves the right to change its practices and to make the new provisions effective for all protected health information it maintains. Should the company’s information practices change, it will mail a revised notice to the address supplied by each employee.
The plan will not use or disclose employee’s health information without their authorization, except as described in this notice.
As an employee, you should be aware of your rights and feel confident that your employer is abiding by the guidelines of the Privacy Rule.
As an employer offering group insurance health care benefits, you should make your employees aware of their rights and should give them an avenue to obtain more information or to report a problem.