The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that aims to protect the privacy of a patient’s medical information. It sets standards for certain types of health plans to follow in order to help ensure patient privacy. HIPAA establishes security rules regarding electronic protected health information (ePHI) and breach notification rules which have come into play with the changing times. The Rule applies to healthcare providers, insurance companies, clearinghouses and other groups that handle PHI on behalf of a covered entity.
Have recent rulings changed how HIPAA laws protect patients from disclosures to third parties? As of the writing of this post, there have been no changes.
That being said, it’s important to understand what HIPAA protects and what it doesn’t.
In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA), which laid out standards to follow to help ensure patient privacy.
In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA), which laid out standards to follow to help ensure patient privacy. HIPAA is a federal law that protects patient privacy by requiring providers to protect the medical information they collect about you. There are also state laws that apply in addition to HIPAA.
The HIPAA Privacy Rule establishes national standards for how healthcare providers should handle private health information. It also sets limits on who can see private health information and how it can be used or disclosed without the patient’s permission.
HIPAA applies to healthcare providers, insurance companies, clearinghouses and other groups that handle PHI on behalf of a covered entity
To be considered a HIPAA covered entity, you must be one of the following:
- a healthcare provider
- a health plan
- a clearinghouse
These are the three categories that the HIPAA applies to; however, there are other supporting individuals and organizations that support the three types of covered entities and those are considered a business associate.
A business associate is any person or organization outside of a covered entity that performs functions on behalf of that company related to protected health information. These may include vendors, contractors and subcontractors who provide services such as claims processing for medical practices; IT companies that help manage electronic medical records; or call center workers who take calls from patients/customers and ask them about their health conditions. The rule applies to all business associates — not just those with access to PHI!
Any time you use someone else’s services for handling PHI or other medical data — whether it’s automated billing systems run by the hospital or providing voice-recognition software used by doctors’ offices — these vendors should have written agreements specifying how they’ll handle any collected information while working on behalf of your organization. This agreement is called a Business Associate Agreement (BAA), which defines what kind of access each party has regarding patient records while they’re working together as well as what liability each assumes if something goes wrong.
HIPAA does not prevent covered entities from sharing PHI if there is a warrant and subpoena, but the minimum necessary rule does apply.
HIPAA does not prevent covered entities from sharing PHI if there is a warrant and subpoena, but the minimum necessary rule does apply. The Privacy Rule requires covered entities to restrict the use of PHI to the minimum necessary to accomplish a task. While HIPAA does not prevent covered entities from sharing PHI with law enforcement under a warrant or subpoena, it does require that the minimum necessary standard be applied. Therefore, an organization should only disclose what it believes is reasonably necessary for law enforcement purposes.
If your organization receives a subpoena requesting PHI in response to an investigation into suspected criminal activity, contact your legal counsel before responding to ensure compliance with both HIPAA and relevant state laws regarding how information may be shared.
While HIPAA has not changed, it’s important to understand what it does cover and protect. Having clearly communicated policies and procedures in place for your staff is critical for your practice to understand and meet the requirements of this law.
Need help with where to start? Let us know below!