The specific contours and applications of HIPAA are complex, so when in doubt it is always best to seek formal legal advice. There are, however, a few general guidelines that everyone should be aware of when thinking about HIPAA.
Disclaimer: Please note that this article is not intended to be legal advice. You should always talk to a healthcare law attorney about your unique situation.
What is HIPAA?
The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, was enacted by Congress in order to make it easier for people to keep health insurance, protect confidential healthcare information, and to lower the rising costs of medical care by simplifying the billing and coding systems of providers, thus allowing for quality coordination of care.
Unfortunately, most patients and providers do not understand HIPAA regulations, thus HIPAA is often incorrectly invoked as a measure to keep healthcare information from family members and caregivers of those who rely on these individuals to assist them with their care.
First, HIPAA regulates two main areas of health information, 1) standards related to the electronic transmission of healthcare information, and 2) the procedures used to ensure the security of health information.
The second provision is known as the Privacy Rule, and is by far the most often incorrectly invoked provision of HIPAA. At a very basic level, the privacy rule allows patients control over their health information without deterring research or undermining care. It is meant to balance patient privacy and public responsibility.
For example, keeping private test results confidential, while at the same time ensuring public health concerns, like the bird flu, are dealt with responsibly. Unfortunately, the manner in which the Privacy Rule is invoked frequently demonstrates a misunderstanding of the regulation by patients and healthcare providers alike.
Protected health information (PHI)
Second, HIPAA covers all “individually identifiable health information” or Protected Health Information (PHI). This includes verbally transmitted or recorded information about a patient’s health, information on any physical or mental health condition, healthcare treatment, payment for healthcare treatment, and private identifying information like name, address, birth date, and social security number.
Nevertheless, such information may be released under certain circumstances, including when obtaining consent from the patient, in emergency situations, and when a provider reasonably believes it is in the patient’s best interest to share certain information.
Third, HIPAA only applies to certain covered entities. Those include, health plans such as Medicaid, Medicare, and private insurance carriers, as well as healthcare providers, like doctors, nurses, psychologists, pharmacists, dentists, etc.
Note that all of the employees and subcontracted entities of these providers are also covered. It does not, however, apply to law enforcement, most schools, employers, or many state agencies (ex., CPS, DES).
Finally, HIPAA makes those who violate its provisions accountable for their actions. The regulations provide for both civil and criminal penalties for violators. No doubt the fear of such sanctions influences entities to invoke HIPAA as a barrier to sharing information; but understanding the regulations and properly applying them will ensure a much healthier result all around than operating under fear instilled by misunderstanding.
Want to talk about your case involving HIPAA? Contact one of the ARTEMiS Law Firm attorneys today.Contact Us