The HIPAA privacy rules, which healthcare providers must comply
with beginning April 14th, 2003, are part of a broad band of legislation
contained in the Health Insurance Portability and Accountability
Act, or HIPAA, which Congress adopted into law in 1996.
Congress enacted the HIPAA privacy rules to regulate the maintenance,
transmission, security and privacy of personal health information.
The rules define this information as individually identifiable “protected
health information” (PHI).
The HIPAA privacy rules will apply to all protected health information
whether it is written in records, discussed orally, or communicated
electronically. Health care providers that submit or receive electronic
transactions (including claims) through a clearinghouse, a vendor,
or via the internet, or if paper claims are submitted to a billing
service for conversion to electronic transactions, the provider
is a “covered entity” under the HIPAA rules.
Under these rules, health care providers must have in place a written
privacy policy, and they must appoint a staff member to be a privacy
officer. The HIPAA privacy rules also say that patients have the
right to gain access to their records, request corrections and an
accounting for any unauthorized use of their PHI.
Health care providers will be required to protect against unauthorized
use of patient information and threats to security, maintain necessary
safeguards to protect confidentiality, make sure their employees
are on a “need to know” basis with a patient’s
health information, and they must work to reduce the chance of inadvertent
disclosure. Health care providers will also be required to gain
written consent from patients before disclosing any protected health
information under non-routine circumstances to most third parties
including the patient’s employer.
|
