The HIPAA Privacy Act, Research Paper Example

Introduction

Healthcare-related issues have always been topical in the US community – because of a great number of employers, health plan providers and charity organizations provide US citizens with varied services healthcare information may be stored and disclosed improperly. These practices have been repeatedly impeding on the rights of the US population until the Privacy legislation was initiated in 1974. The first legislative act that formulated basic privacy rules, protection and disclosure standards for healthcare information was the federal Privacy Act (Leo 171). However, it quickly proved inconsistent with real need for privacy expressed by US patients. The struggle for observance of basic human rights in the sphere of medical services continued.

The relief came in 1996 when the Health Insurance Portability & Accountability Act (HIPAA) was adopted. It became a genuine breakthrough in protection of individual medical information because it recognized the right for access and amendment of personal information as a unique personal privilege. Besides, the HIPAA Privacy Act stipulated the need to obtain the individual’s consent for obtaining his or her health-related information (Leo 171). HIPAA was significant for the privacy policy’s observance in many other ways as well. It was recognized the first legislative document to have mandated procedures for disclosing information both from paper-based and electronic sources.

Surely, not everything was ideal from the start. There were also challenges with the implementation of HIPAA provisions, the main of which was to create generalizable standards with which the work of all covered entities would comply and which could be used as a universal assessment scale for evaluation of their actions, their correctness or wrongness. The traditional information flow allowed many cases of misuse or inappropriate information disclosure because of the multiple bodies who acquired the patient’s medical information: the laboratory, the pharmacy, the benefit manager, the clearinghouse, the payer. Taking these bodies into consideration, it is necessary to note that only the provider and the pharmacist used to be bound by the privacy restrictions. Thus, the information could be misused by all other participants of the information flow without any penalties and criminal procedures (Leo 172).

Judging from the previous state of affairs, one can understand that the importance of HIPAA adoption can hardly be exaggerated – the statistics of trust towards healthcare providers can serve as a good proof of this fact. Hence, before HIPAA two thirds of all medical services consumers did not trust their providers concerning their medical information privacy, and one in five Americans truly believed that there were cases of inappropriate disclosure thereof (Leo 171). This way, one can see how strongly the attitude towards privacy changed within less than two decades and how much attention is not being paid to patient security and privacy.

Legal Issues Concerning HIPA Adoption

HIPAA was adopted in 1996 and has an official name of the Public Law 104-191 – initially it needed clarifications and additional provisions as to the electronic health care transactions as a new field of storing health information of patients. This additional care was paid to electronic means of information storage due to the recognized assumption that extended usage of computer technology increases the risk of inappropriate information disclosure. As a result, Federal privacy protections for personally identifiable health information (PHI) (HIPAA Privacy Act).

All discussed additions and amendments were embodied in the form of a final regulation adopted in 2000 and enacted in 2001 under the name of the HIPAA Privacy Rule (HIPAA Privacy Act). The significance of Privacy Rule cannot be overestimated: it set nationwide standards for HIPAA implementation, stipulated th types of covered entities (i.e. health plans, health care clearinghouses and healthcare providers who conduct transactions by electronic means) (HIPAA Privacy Act).

Starting from 2003, the HIPAA Privacy Rule concerned all covered entities, presupposing that by that time they had to take all necessary measures to ensure the protection of PHI. Certain penalties of civil and even criminal character were presupposed for the untimely or successful implementation of HIPAA – governed measures.

This time the federal government paid appropriate attention to public interests in the adoption of HIPAA. There was much opportunity for discussions and suggestions from the common public on the subject of the scope of action presupposed of HIPAA. This was done to satisfy the need of patients for satisfactory patient care and to eliminate all barriers or negative factors affecting it. Upon consideration of all public opinions it was allowed to pass the 2002 modification of the Privacy Rule that served as the final draft of the law. Upon the final round of public considerations it was finally adopted in 2003 and gained the status of the public law. According to the judicial account, the HIPAA Privacy Rule was the first law that was designed for health information protection. Comparing its influence to the one of similar information privacy, one should remember that the HIPAA Privacy Rule does not substitute any of them and does not presuppose softening of privacy protection regulations, only tightening them in case it is applicable.

Personally Identifiable Health Information

Since the main purpose of the HIPAA is privacy protection, one should clearly understand what definitely should be protected. According to the HIPAA, there are ten major types of PHI that refer to oral, paper-based and electronic sources of information. They include “health care claims or health care encounter information, such as documentation of doctor’s visits and notes made by physicians and other provider staff” and “health care payment and remittance advice” (HIPAA Privacy Rule). Documents that coordinate healthcare-related benefits of the patient, status of his or her health care claims, health plan –related information (including enrolment, eligibility and premium payments) ((HIPAA Privacy Rule). Finally, the documentation on injury reports, attachments to health heath claims and referral certifications and authorization are also included in the list (HIPAA Privacy Rule).

PHI being so diverse and vulnerable for misuse, it is protected by a set of HIPAA-established rules. They are the Security Rule, the Privacy Rule and the Electronic Transactions provision. The Privacy Rule pertains to the ability to manage personal information by patients, to understand the components of their medical information and to realize the basics of its disclosure and use. The Security Rule is more complex and pertains to the ability of covered entities to protect the confidentiality of medical information. The final part constitutes the Transaction and Code Sets standards (TCS) that govern the process of electronically stored medical information (Leo 173).

Thus, analyzing the newly introduced provisions as well as the major changes in the information flow under HIPAA one will understand how reformed it has become and what protection the individual health information has obtained. For example, admitting clerks should have preliminary privacy training, all technical appliances like printers and Xerox machines should be protected from outside access etc. (Leo 174).

Nonetheless, there is much more to be discussed about the provisions of the HIPAA Privacy Rule. One of the main issues for consideration is the employer-related information and the discussion of covered entities established by HIPAA. The USA commonly practice provision of health insurance by the employer, hence under the newly established bunch of norms restricting the information disclosure every employer should know the basics of HIPAA Privacy Rule to secure him- or herself from criminal persecution.

HIPAA Privacy Rule. Covered Entities’ Regulations

The first popular question that employers have is whether they are considered the covered entities eligible for the HIPAA Privacy Rule; they may be ones in case they offer a group plan to their employees (Beaver and Herold 243). The authors emphasize the fact that many employers get into trouble being sure that the HIPAA Privacy Rule does not touch upon their activity in case they do not actually sell health insurance to their employees and do not offer direct services in treatment:

“Many employers would be surprised or alarmed to learn how HIPAA can and likely will impact their operations. Employers must determine the nature of their relationship with their employee benefit plans, their use of protected health information (PHI), and how their activities must be modified to comply with HIPAA” (Beaver and Herold 243)

As a rule, an employer may cooperate with covered entities but not be one – this situation may occur in case the employer offers some medical services available directly at the workplace for his or her employees. Despite such cases are rare, still the employers should know what obligations they should fulfill being covered entities (the information is vital not only for employers but for all consumers and providers of health services):

“Covered entities must adopt written PHI privacy procedures; designate a privacy officer; require their business associates to sign agreements respecting the confidentiality of PHI; train all of their employees in privacy rule requirements; give patients written notice of the covered entities’ privacy practices and access to their medical records…” (HIPAA Privacy Rule).

In addition to these core functions of covered entities in creating adequate privacy protection conditions they should provide the healthcare consumers with the right to modify their records, to find out the restrictions that spread on their individual health information. They are responsible for teaching consumers to file complaints in case they detect or suspect the violation of their health information privacy (HIPAA Privacy Rule). In addition, covered entities should keep an eye open for the medical information commercial use or the influential factor in making employment decisions.

The significant issue in the HIPAA Privacy Rule compliance is authorization of the client – it is a delicate question that has some exceptions and norms necessary to be known well to avoid misunderstanding and criminal proceedings. In general, the patient is the main owner of his or her PHI, so the authorization is necessary in all cases excluding the following cases: “Patient authorization is not necessary if a disclosure is made for purposes of treatment, securing payment, or in accordance with the operations of a health care provider” (HIPAA Privacy Rule). And, which is also essential, the covered entity is authorized to disclose only the minimum necessary information to the institution that requested it, no matter whether the authorization has been received from the healthcare consumer or was not needed.

Finally, one should know the situations that require the PHI disclosure and do not need authorization, being at the same time non-punishable by law. This general exception pertains to such cases as when the public health issues are involved, when the information is necessary for the court or agency proceedings, when it is needed for law enforcement officers, and in case of emergencies. The PHI can also be disclosed without authorization in case it will help in the identification of deceased people and when the questions of national security are discussed (HIPAA Privacy Rule).

Conclusion

The HIPAA introduction was a logical conclusion of the long-lasting struggle for the privacy of health information protection. The USA, the world’s most prominent democracy that puts the civil and constitutional rights of its citizens to the fore in the issues of domestic and foreign policy has failed to recognize the need for health information privacy. Even upon recognizing it in 1974 the US legislation proved unable to offer the adequate number of standards and provisions to secure the right stipulated legally.

However, in the process of nearly three decades’ work on the design of a brand-new legislative act that would not only proclaim privacy of medical information but would also take care of the practical side of the issue the HIPAA Privacy Rule was finally designed. It takes into account all drawbacks and black spots of previous legislative acts because of much public participation in its formulation. Thus, it is now the only comprehensive and enacted law that ensures securing personally identifiable health information stored in all kinds of carriers, in any health institutions and possessed by any consumers.

Works Cited

Beaver, Kevin, and Rebecca Herold. The practical guide to HIPAA privacy and security compliance. CRC Press, 2004.

HIPAA Privacy Act. 2010. 24 March 2010. <http://www.meditec.com/resourcestools/ coding-hipaa-privacy-act/>

HIPAA Privacy Rule – What Employers Need to Know. 2010. 24 March 2010. <http://www.twc.state.tx.us/news/efte/hipaa_basics.html>

Leo, Ross. The HIPAA Program Reference Handbook. CRC Press, 2004.