Starting April 14, whenever you, your family, and your employees/co-workers need some type of health care services from a hospital or a physician’s office, you’ll encounter first-hand how the Privacy Rule of the Health Insurance Portability & Accountability Act (HIPAA) of 1996 affects you. The Department of Health & Human Services will require hospitals and physician offices throughout our country to provide their patients with privacy notices and requesting them to sign a statement acknowledging receipt of such notice.
Will this lengthen the registration process? Yes, but most likely by less than a minute.
Several more substantial questions need to be asked. First, just what is HIPAA? This Act, passed by Congress in 1996, is composed of three sets of federal laws that work together, with the final goal being the automation of health care. The three sets of laws include the Transaction Code Set Rules, which standardize (and this standardization will provide the information needed to substantially improve the quality of American health care) the billing forms, formats, and codes that were implemented October 13, 2002, although most health care providers successfully filed for a one-year extension; the Security Rules, which have been drafted—but not finalized—to ensure the privacy of patient information that’s held in the information systems of health care providers; and the Privacy Rules, slated for implementation April 14.
The second question is what do the HIPAA Privacy Rules entail? According to the Office of Civil Rights, which will monitor compliance with the Privacy Rules, national standards have been created for the first time to protect individuals’ medical records and other personal health information. Additionally, OCR lists five features of the Privacy Rules on its Web site:
- It gives patients more control over their health information.
- It sets boundaries on the use and reuse of health records.
- It establishes appropriate safeguards that health care providers and others must achieve to protect the privacy of health information.
- It holds violators accountable, with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.
- It strikes a balance when public responsibility supports disclosure of some forms of data—for example, to protect public health.
Third, what do the HIPAA Privacy Rules require health care providers or health plans to do? In a December 3, 2002 document posted on its Web site, OCR contends the Privacy Rules require notifying patients about their privacy rights and how their information can be used, which is referred to in the opening paragraph; adopting and implementing privacy procedures for its practice, hospital, or plan; training employees so they understand the privacy procedures; designating an individual to be responsible for seeing the privacy procedures are adopted and followed; and securing patient records containing identifiable health information so they aren’t readily available to those who don’t need them.
We at OSF HealthCare already had confidentiality standards, which have worked well for our paper medical records system. Adherence to those standards has earned us significant patient trust, which in turn has made our patients willing to share with us all the information needed for the delivery of high quality care. In today’s modern, automated, and electronic health care settings, though, there’s a need to have even more stringent confidentiality standards in place, and HIPAA has formalized them for us.
The last question you should ask, especially if you’re in human resources or the owner or partner in your business, is this: is our private benefit plan a health plan? If the answer is “yes,” your plan is also subject to the HIPAA Privacy Rules. To help you answer this question, the Centers for Medicare and Medicaid Services developed a flow chart of questions, which can be found on their Web site at www.cms.gov/hipaa. IBI