HIPAA 101: History and Best Practices
HIPAA, HIPAA, HIPAA! You are probably tired of the word, but the reality is we all deal with HIPAA on a daily basis. Consequently we can sometimes become complacent without realizing it. However, neither complacency nor ignorance is a defense when it concerns any federal law, including HIPAA. All health care providers, health care clearinghouses and health plans must follow the HIPAA Privacy Rule and the HIPAA Security Rule federal law.
HIPAA compliance can be a frightening concept, especially because non-compliance penalties can incur fines of up to $250,000 depending on the seriousness of the infraction. This is why it’s important that we all know the fundamentals of staff compliance standards in relation to the HIPAA Security Rule.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, was enacted on August 21, 1996. In 2002, the Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”) established, for the first time, a set of national standards for the protection of certain health information. The Privacy Rule addressed the use and disclosure of individuals’ health information by healthcare providers or organizations.
Changes in technology have brought shifts in multiple healthcare realms, including how protected health information (PHI) is communicated. For example, the term known as e-PHI or electronic Protected Health information, was created to address that new mode of communication. As a result of the changes, the Security Rule portion of HIPAA was established. The final regulation for the Security Rule was published February 20, 2003. The text of the final regulation can be found at 45 C.F.R. Part 160 and Part 164 - Security Standards: General rules.
The Security Rule
Although the Security Rule protects a subsection of PHI, it does not apply to PHI that is transmitted orally or in writing. The Security Rules does, however, provide additional protection for information confidentiality. There are two additional goals added to the Security Rule that pertain to e-PHI and are not part of the Privacy Rule. They are maintaining “integrity” and “availability” of e-PHI which are related to the “confidentiality” of that information. According to 45 C.F.R. § 164.304 – Security Standards: General rules, the term “integrity” purports e-PHI is not altered or destroyed in an unauthorized manner. In addition, “availability” purports e-PHI is accessible and usable on demand by an authorized person. According to 45 C.F.R. § 164.306(a) - Security Standards: General rules, covered entities must do the following:
- Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit
- Identify and protect against reasonably anticipated threats to the security or integrity of the information
- Protect against reasonably anticipated, impermissible uses or disclosures
- Ensure compliance by their workforce
More on Protected Health Information (PHI)
Protected Health Information is “all individually identifiable health information held or transmitted by a covered entity, or its business associates, in any form of media.” (CMS, 2003). This includes: name, address, names of relatives, birth date, telephone number, Social Security number, medical record number, health plan number, photograph, or any other unique identifier. It also includes demographic data that relates to the provision of the patient’s health care, payment for the provision of health care services, and physical or mental health or condition, regardless if it pertains to past, present or future.
Best Practices to Follow Regarding PHI:
- Minimize occurrences of others overhearing patient information. Do not use a patient’s entire name within hearing distance of others.
- Secure all paperwork containing PHI by placing in a drawer or folder when not in use. Cover charts so patient names are not visible. Never leave records or other PHI unattended.
- NEVER share passwords.
- Close computer programs containing patient information when not in use.
- Always use a cover sheet when faxing PHI.
- Properly dispose of information by shredding files that are no longer needed.
- Patient information should not be emailed to or from personal email or via any texts.
- Patient information may be emailed in a password protected file via a secured server. The password should be shared in a separate email
- Do not share information about any person being cared for with anyone other than colleagues who need the information; and then only the minimum necessary information.
- Do not share/discuss patient information, including but not limited to, diagnoses on any social media site.
As caregivers we must remember that we have a great responsibility to protect our clients’ and patients’ health information through HIPAA compliance. We must do whatever we can to ensure we maintain the integrity, confidentiality, and availability of all e-PHI at all times. It is not just legally required, but it is the right thing to do.
Bethany Nichols, PTA
Director of Medical Review, Century Rehabilitation
45 C.F.R. § 164.306(a) - Security Standards: General rules. (n.d.).