Privacy Protection of Health Information

Eric Bertelson - Implementation Manager

In early 2001, President Bush approved the Standards for Privacy of Individually Identifiable Health Information. This national privacy standard was created due to the congressional mandate in HIPAA. The need for such standards has arisen from the dramatic shift of health information data from paper to electronic media. While such privacy concerns have existed for many years with the paper medical records system, the induction of widely available health information systems has substantially increased the ease and vulnerability of releasing personal health information (PHI) without the authorization of the individual. Specifically, these regulations seek to implement common practices by giving the individual the right to inspect their records, know the uses of their data, and attain an accounting of disclosures. HIPAA and its subsequent rules and regulations are the result of our lack of protection under the constitution. States have enacted various privacy standards with regard to health information but no national standard has existed until now.

On April 12, 2001 the Health and Human Services department (HHS) announced that it would move forward with its final guidelines with the effective date for most covered entities being April 12, 2003. These guidelines include definition of standard, privacy and security, fair information practices, and its effect on existing State laws. Any data that is individually identifiable, whether in the paper or electronic format, is covered under these guidelines. Covered entities include health plans, health care clearinghouses, providers, and "business associates". These covered entities must guard against both deliberate and accidental release of PHI without prior consent of the individual. In addition, policies and procedures must be developed to accommodate complaints and consequences for persons who act in violation of these policies and procedures. Anyone handling PHI should conform to the fair practices that would allow the individual to make a reasonable informed decision about their healthcare. These should include: access to records (both electronic and physical), ability to correct erroneous data, and the right to access the audit trail of their records (access and disclosures). Existing State laws that are more stringent than the HIPAA and HHS regulations will not be affected.

These regulations also deal with the disclosure of PHI for both direct healthcare and other indirect purposes. PHI may be used "liberally" with regards to healthcare (providing care, billing, etc.) with the individual's informed consent. Healthcare entities must received written consent containing the purpose, use, the write to revoke and restrict how the PHI is to be used. But outside of healthcare the limitations are much more restrictive. The entity must provide the specific information to be used, the person the information is to be sent to, the purpose, the right to refuse and revoke with a specific expiration date. Exceptions still exist to this regulation when it pertains to public health and safety, judicial/law enforcement, and commercial marketing. The spirit and intent of these regulations are to improve clinical outcomes, deter fraud/abuse, and enable the individual to make an informed consent with regards to healthcare decisions while building trust in the national healthcare system.