Health Insurance Portability and Accountability Act
Health care providers must comply on privacy issues by 4/14/03 to establish Protected Health Information (PHI)
Establish rules to protect privacy and security of individually identifiable health information.
Protected Health Information
PHI (protected health information):
- Any individually identifiable information whether oral or recorded in any form.
- That relates to the past, present, or future physical or mental health or conidition of an individual
- The provision of health care to an individual.
- The past, present or future payment for the provision of health care to an individual.
Examples of PHI:
- Zip codes
- Names of relatives and employees
- Birth date
- Telephone numbers
- Fax numbers
- Names of household members
- Email address
- Social security
- Medical record #
- Health plan benefit #
- Account #
- Vehical/serial #
- Photographic images
- Any other unique identifying #, characteristic or code.
Why is this regulation needed?
Under the current patchwork of laws, personal health info can be distributed - without either notice or consent - for reasons that have nothing to do with a patient's medical treatment or health care reimbursement.
Patient information held by a health plan may be passed on to a lender who may then deny the patient's application for a home mortgage or a credit card - or to an employer who may use it in personnel decisions.
Who is governed by HIPPA?
- Health plans
- Health care clearinghouses
- Health care providers who conduct administrative and financial transactions electronically
- Business Associates of a covered entity by contract or agreement.
Patient rights under HIPPA:
- The right to access their medical records
- Notice of privacy practices
- Prohibition on marketing
- Formal complaint process
What can happen if we do not comply with HIPPA?
Patient distrust and dissatisfaction.
Non-compliance with requirements
$100 per violation to a maximum of $25,000 per requirement per year.
Wrongful disclosure of PHI includes:
Obtains and discloses PHI
- $50,000 and/or 1 year in prison for wrongful disclosure.
- $100,000 and/or 5 years in prison for violations involving obtaining or passing information under false pretenses.
- $250,000 and/or 10 years in prison for violations involving intent to sell information.
Who do we refer patient information requests to?
1. Compliance and Privacy Officer
2. Corporate chief, security officer
3. Information desk
Examples of reasonable safeguards include:
- Speak quitely when discussing a paient's condition.
- Avoid the use of patient's name in public hallways.
- Verification by DOB or SS# when disclosing PHI on the telephone
- Faxing only to other medical providers
- Mailing PHI only in sealed envelopes
Privacy standards DO NOT prevent:
- Orally coordinating care with healthcare providers
- Telephone conversations with a patient or provider in joint treatment areas.
- Discussion during rounds
- Calling out patient's name in waiting area
- Sign in sheet with name and time of arrival.