Computer Technology Update
|COMPUTER TECHNOLOGY UPDATE|
| Meeting the April Deadline for the HIPAA Privacy Rule|
BY MALCOLM H. MORRISON, PhD
| The April 14 deadline is approaching for complying with the HIPAA privacy rules. The privacy rules safe-guard the use and disclosure of individually identifiable health information, and place certain requirements on “covered entities” that use or disclose “protected health information” (PHI). Now is a good time to make sure that you are clear about HIPAA’s terminology and the requirements of providers.|
HIPAA covered entities are defined as health plans and healthcare providers involved in certain electronic transactions and healthcare clearinghouses. The general HIPAA Privacy Rule states that covered entities may not use or disclose PHI except as authorized by the individual described by the information or as explicitly required or permitted by regulation. When the use or disclosure of PHI is permitted, usually only the minimum necessary PHI needed to accomplish the intended purpose may be provided.
Individually identifiable health information is information created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school, university, or healthcare clearinghouse that relates to the past, present, or future physical or mental health or condition of an individual, the healthcare provided to that individual, or past, present, or future reimbursement for that healthcare. Specific identifiers, pertaining not only to the individual but to relatives, employers, or household members, include: name, address, any date identifiable to the individual (e.g., birth date, treatment date, discharge date), Social Security number, medical record number, health plan benefit number, telephone or fax number, account number, vehicle identification or license plate number, e-mail address, and any other individually identifying number, characteristic, or code.
As alluded to earlier, some disclosure is permitted. Health plans may use or disclose PHI for treatment, reimbursement, or healthcare operations without the individual’s consent or authorization. These exceptions are broadly defined but, as with all the material in this article, the provider should check with a HIPAA-conversant attorney about the full meaning of these terms.
Individuals have certain rights under the privacy rules with regard to their own PHI. An individual can request access to and obtain copies of his or her PHI, request that the provider amend his or her PHI, request an accounting of disclosures of his or her PHI or, within limits, restrict the use and disclosure of his or her PHI. In addition, the provider must adopt and document policies and procedures with respect to individual rights under the HIPAA privacy rules.
The final Privacy Rule issued late last year (2002) made several important modifications to the original-it specifically:
Under the rule, covered entities will still be required to obtain an individual’s authorization for uses and disclosures of PHI. The rule requires this authorization to include the following core elements:
In addition to these core elements, the authorization must contain the following notification statements and must be written in plain language:
In general, it is important to recognize that although HIPAA’s privacy requirements do cover electronic data, protection of all PHI (electronically maintained or otherwise) is required, and many HIPAA-compliance steps may not involve electronic processes. At a minimum, each organization should review the security of electronic PHI to ensure compliance with HIPAA privacy regulations.
|Malcolm H. Morrison, PhD, is president and CEO of Morrison Informatics, Inc., an information technology and data analysis company based in Mechanicsburg, Pennsylvania. For further information, e-mail firstname.lastname@example.org or phone (800) 559-8410.|
|To comment on this article, please send e-mail to email@example.com.|
Topics: Articles , Technology & IT