You are not currently logged in. Please log in to CEUfast to enable the course progress and auto resume features.

Back

HIPAA: Health Insurance Portability and Accountability Act

2.00 Contact Hours:
A score of 80% correct answers on a test is required to successfully complete any course and attain a certificate of completion.
Author:    Shelly McDonald (MSN, RN)

Purpose/Goals

This learning module is designed to provide practicing nurses with the nuts and bolts about the requirements of the Health Insurance Portability and Accountability Act (HIPAA), particularly as it relates to patient privacy. Strict guidelines for maintaining privacy, confidentiality, and security of health information are also part of HIPAA legislation.  The implications HIPAA has for researchers are also discussed.

Objectives

Upon completion of this module, the learner will be able to complete the following objectives.

  1. Explain the components of the HIPAA legislation.
  2. Differentiate between protected health information (PHI) and individually identifiable health information (IIHI).
  3. Describe processes that must be used to assure patient information is kept confidential and secure
  4. Discuss three modifications to the HIPAA Act of 1996 by the American Recovery and Reinvestment ACT (ARRA) of 2009.
  5. Discuss three new provisions as noted in the HIPAA 2013 regulations.

Introduction

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), also known as “Kennedy-Kassebaum”, passed congress rapidly and with great bipartisan support in 1996. Many aspects of the legislation have been implemented in the ensuing years; the deadline for full implementation of the privacy and confidentiality requirements was April 14, 2003.  Health care providers and organizations have strict guidelines that must be followed to remain within the law. While this module and most of our attention now is focused on the provisions of the legislation that deal with privacy, confidentiality, and security of patient records, HIPAA also contains legislation aimed at reducing health care related administrative costs, eliminating pre-existing clauses and waiting periods for individuals changing insurance coverage, and increasing access to insurance for individual purchasers.   

HIPAA was designed to address public concerns about managed care, insurance availability, and insurance affordability.  For example, HIPAA prohibits insurance companies from denying coverage because of 1) preexisting conditions, 2) a family member’s health status, or 3) whether or not an individual has been covered under a group policy and is seeking a personal health insurance policy.  Further, HIPAA ensures immediate coverage without regard to pre-existing conditions for individuals who change jobs and insurance carriers.  HIPAA also established a pilot program for medical savings accounts (MSAs) that allows individuals to create a “health insurance individual account” to purchase health services and retain unspent funds rather than paying monthly premiums.  Further, to encourage the purchase of long-term care insurance, HIPAA allows employers to deduct premiums and most benefits are tax-free to the beneficiary. Additionally, to facilitate purchase of health insurance by self-employed persons, the law allows 80% of the annual premiums to be tax-deductible. While many health policy analysts agree that these provisions have little impact on reducing the number of uninsured, they do, however, think these efforts are worthwhile. In 2003, attention to HIPAA was riveted on implementing and paying for the privacy, confidentiality, and security aspects of the legislation (DiBenedetto, 2003).

In 1996, HIPAA was viewed as a way to reduce administrative costs, provide better access to health information, reduce fraud, and guaranty privacy of health information. However, the American Hospital Association estimates that it may cost between $4 billion and $22 billion to implement the tenets of the law. A search of the literature failed to produce specifics regarding cost; however, according to Gue and Upham (2004), the majority of costs are associated with developing and implementing software that integrates providers, payers, and governmental agencies.

As part of the HIPAA rule promulgation, the Centers for Medicare and Medicaid Services (CMS) mandated standardization of transaction and code sets (TSC) to reduce duplication, confusion, and non-compliance.  CMS standards rely on use of ICD-9 codes for disease classification, CPT codes for procedures, and national drug codes (NDC) for medications.  CMS admits that problems with these coding sets exist; new ICD-10-CM and ICD-10-PCS are thought to reduce the ambiguity and facilitate full implementation of electronic processing (HIPAA-General, 2013). 

HIPAA was just the beginning of the ultimate conversion of healthcare information into an electronic health record (EHR).  The Bush administration projected it will cost $100 million a year for 10 years primarily to fund demonstration projects and trial programs aimed at achieving four major goals: 1) establish routine use of EHRs in clinical practice, 2) connect health care workers in information exchange for clinical decision making, 3) enhance patients’ ability to choose providers based on quality, and 4) integrate public health surveillance systems into an interoperable network to support new research and better care (Scott, 2004, p. 34).

In 2012 HIPAA modifications required that all patients be able to access their own medical records, correct errors or omissions, and be informed how personal information is shared and used. Other provisions involved notification of privacy procedures to the patient. HIPAA provisions have led to extensive overhauling with regard to medical records and billing systems. Any healthcare provider that electronically stores, processes or transmits medical records, medical claims, remittances, or certifications must comply with HIPAA regulations.

 In 2013, HIPAA was modified, as described in the Federal Register/ Vol. 78, No.17/ Friday, January 25, 2013/Rules and Regulations. The Department of Health and Human Services, Office for Civil Rights issued its final rules to modify this HIPAA Privacy, Security, and Enforcement Rules to implement statutory amendments under the Health Information Technology for Economic and Clinical Health Act (HITECH) to strengthen the privacy and security protection for individuals’ health information.

The final release is comprised of four final rules, which have been combined to reduce the impact and number of times certain compliance activities need to be undertaken by the regulated entities. According to the Federal Register (Modifications, 2013), these rules are listed below.

Rule Number One:

  • HIPAA emphasizes that covered entities should not use their business associates for Public Health Reporting. Rule number one makes business associates directly liable for compliance with certain HIPAA Privacy and Security Rules’ requirements. This is part of the HIPAA Omnibus Rule.
  • It strengthens the limitations on the use and disclosure of protected health information (PHI) for marketing and fundraising, and prohibits the sale of PHI without the individual’s written authorization.
  • Expands the individual’s rights to receive electronic copies of their health information and restricts disclosures to a health plan concerning treatment for which the individual has paid out of their pocket in full.
  • Requires modifications to, and redistributions of a covered entity’s notice of privacy practices.
  • This rule modifies the individual authorization and other requirements to facilitate research and disclosure of child immunization proof to schools, and to enable access to decedent information by family members or others.
  • The rule now adopts the additional HITECH Act enhancements to the Enforcement Rule not previously adopted in the October 30, 2009, interim final ruled and thus provisions addressing enforcement of noncompliance with the HIPAA Rules due to willful neglect.? 

Rule Number Two:

  •  This rule adopts changes to the HIPAA Enforcement Rule to incorporate the increased and tiered civil money penalty structure provided by the HITECH Act, originally published as an interim final rule on October 30, 2009.

 Rule Number Three:

  •  This is the final rule on Breach Notification for Unsecured Protected Health Information under the HITECH Act, which now replaces the breach notification rule’s “harm” threshold with a more objective standard and supplants an interim final rule published on August 24, 2009.

 Rule Number Four:

  •  This is the final rule which modifies the HIPAA Privacy Rule as required by the Genetic Information Nondiscrimination Act (GINA) to prohibit most health plans from using or disclosing genetic information for underwriting purposes, which was published as a proposed rule on October 7, 2009.

 As of January 2016, more expectations have been added to HIPAA. First, a second round of HIPAA audits will begin being conducted this year. Due to an overwhelming number of HIPAA violation complaints in previous years, the Office of Civil Rights will attempt to audit more facilities to ensure compliance with all HIPAA regulations. These audits consist of reviewing organizational policies regarding how Patient Health Information is stored, accessed, reviewed, and kept secure, as well as the training involved throughout the organization on protecting and securing Patient Health Information, reporting breaches or potential breaches, and identifying or addressing risks. 

 In addition to these audits, the Office for Civil Rights has determined that many patients are still unable to access their records online, which restricts the amount of autonomy they have over their own health. A Frequently Asked Questions sheet was released in January 2016 to address a patient’s right to access their health information, requirements for organizations to comply, and the alignment with the HITECH Electronic Health Record Incentive Program (Samuels, 2016b).

 Lastly, the HIPAA Privacy Rule was also amended in January of 2016 in order to strengthen the background checks that are conducted prior to allowing someone to purchase a firearm. Under these changes, certain providers can now disclose information to the National Instant Criminal Background Check (NICS) system if someone poses a threat to themselves or others, lacks the mental capacity to make certain decisions, or has been involuntary committed to a mental institution. In order to maintain the patient’s privacy, the information provided to the NICS is limited in its nature and should not include any clinical information (Samuels, 2016a).

The Basics

HIPAA contains provisions for both privacy and security.  Privacy rules have been promulgated and compliance is required. Today, with the HIPAA 2013, new provisions were created to help protect the sensitive information that often times ends up in electronic data files. These files could be seen by hundreds of strangers who work in health care, the insurance industry, and a host of businesses associated with medical organizations.  HIPAA sets the standards for privacy in this electronic age where the health industry, government, and public interests often prevail over the patient’s desire and need for confidentiality.

 A key factor for all health care providers and organizations to keep in mind is that, while HIPAA rules are strict, if state law covering the same topic is more stringent, the state law must be followed (Herrin, 2003).  Health providers are well advised not to overlook state law as they accommodate HIPAA.  Providers and organizations must remain up-to-date with both HIPAA and state law changes.

The intent of HIPAA is to protect patients from unauthorized or inappropriate use and access to their health information.  Further, the rules protect patients by giving them access to their health information so they know what has been documented about their health status. Proposed by-products of HIPAA are to improve quality of care, restore trust in the health care system, and improve the efficiency and effectiveness of information dissemination by building on existing legal frameworks. HIPAA also contains an administrative simplification section designed to improve the efficiency of health information coding to facilitate digital transfer of information between and among health care providers, payers, and health plans.

 HIPAA creates safeguards so that only those people or entities having a real need to know health information will be able to access it (Calloway and Venegas 2002).  The HIPAA rules complement other standards that protect patients’ rights, i.e., the Joint Commission on Accreditation of Health Care Organizations (JCAHO) and the Centers for Medicare and Medicaid Services (CMS). Compliance with privacy rules promises to be a cornerstone of future JCAHO and Medicare/Medicaid surveys.  Remember, compliance is mandatory, not voluntary. 

Why HIPAA is needed?

Health care professionals have long realized the need to protect patients from unauthorized use of their health information; at the same time, they want to have access to needed information when treating a patient.  Widespread use of electronic data is facilitating the rapid transfer of information and the Institute of Medicine has urged the creation of standards so electronic records can be available (Follansbee, 2002), (HIPAA Compliance White Paper, 2012).

Similarly, the public is greatly concerned about the privacy of their medical records.  Prior to the electronic medical record, patient information was maintained in paper form and neatly locked away, accessible only to those who had authorized access.  With computerized records, information can be accessed, changed, distributed, and copied with far less regard for appropriate authorization, (2013 Guide to HIPAA Compliance, 2013).

Serious breaches of record confidentiality have occurred.  An employee of the Hillsborough county health department was able to carry home a disk with the names of 4000 HIV positive patients.  People have purchased used computers that contained prescription records of patients; Eli Lilly recently sent out an email with the names of patients taking Prozac; the University of Montana inadvertently placed the medical records of some 62 people on the internet. Consequently, patients, health care providers, and other health care entities are very concerned about confidentiality, restoring the public trust, and protecting themselves from lawsuits.

Yet, the ability of multiple providers to access a patient’s record can significantly improve the overall quality of care. Think about the chronically ill individual who receives care from more than one or two specialist providers. If each provider has access to the most recent treatment plan, it stands to reason that care will be more coordinated, efficient, and effective.

Understanding HIPAA

Who is included in HIPAA law?

HIPAA describes those affected by the law as “covered entities”.  Included under this umbrella are health care providers, health plans, health care clearinghouses, and business associates.

Health care providers are defined as anyone who is paid for health care services or bills for services provided.  The list is all inclusive:  physicians, licensed health care providers, hospitals, outpatient physical therapists, social workers, certified nurse midwives, technicians administering X-rays done at home, home health agencies, pharmacists, providers of home dialysis supplies and equipment, nursing homes, nurses, and nurse administrators.  This list means that any hospital or health facility worker who may see confidential patient information is included.

A health plan is any individual or group that pays for health care services.  Included are health maintenance organizations (HMOs, insurance companies, Medicare/Medicaid, self-insured plans, employee group plans, federal plans such as CHAMPUS, military, veteran’s administration, and Indian health services.

Clearinghouses are those entities that receive health information from providers and health plans.  They typically are responsible for standardizing the information to improve claims processing.  Included in this group are third-party administrators, billing services, and re-pricing agencies

The business associates category covers a broad range of professionals and services.  Included are attorneys, consultants, auditors, accountants, billing firms, data processing companies, and practice management firms.  Nurses working as independent contractors, i.e., case managers, legal nurse consultants, and educators are included and subject to compliance with HIPAA law.   A contract between the business associate and hiring agent must be in place before the associate can see any patient information.

What health information is protected?

HIPAA created two new phrases to describe information protected by the legislation.  The medical record is now referred to as protected health information (PHI).  This includes all information that is created by any covered entity.  All forms of the information are part of protected health information, i.e., paper, electronic, video tapes, photos, audiotapes, and any information that has been duplicated, discussed, read from a computer screen, or shared over the internet.

The other new HIPAA phrase is individually identifiable health information (IIHI).  Included in this category is any information that could reasonably be linked to a specific patient, such as a photo, name, address, date of birth, next of kin or responsible relative, medical record identifier, social security number, driver’s license number, health beneficiary, account number, employer, finger, or voice prints.

The law specifies that some information that is not individually identifiable can remain.  Age that is reported as 60+ if the patient is older than 60, zip code if the patient lives within a zip code with greater than 20,000 people in it, race, gender, ethnicity, marital status, and the year only of the health care occurrence are not considered individually identifiable information and these data may be used in the aggregate. 

All facilities must limit access to information only to those who have a need to know.  A nurse who seeks information about a patient not under her care is violating the HIPAA rules.  Similarly, health information can only be used for health purposes.  Employers cannot use the information to screen candidates for hire or promotion.  Financial institutions may not use it to determine lending practice.  Only the patient can explicitly authorize employers, banks, and individuals to have access to his/her medical information.

HIPAA also established the “minimum necessary rule” which stipulates that only the minimum necessary information may be shared, even with the patient authorization. A classic example would involve treatment for a case of child or domestic abuse; the provider would, rather than providing an entire medical record, furnish the pertinent data furnished in the form of an abstract outlining the information that is necessary to provide treatment and protect the victim(s).  The abstracted information could be provided to legal and law enforcement entities.  Health providers involved in the treatment of patients are not subject to the minimum necessary rule and can have full access to all information that is needed to provide patient care.  Health information that has implications for the public health and safety can be shared without consent.  There are several situations where medical information can be shared:  in Emergency 911 situations, when communicable diseases are involved, when law enforcement agencies participate, or if national defense or security is a factor.

The public health department is deemed a legitimate recipient of certain personal health information and providers may, in fact in some instances, must report some findings to the proper public health agency.  Included are:  cause of death even when the patient dies at home, reportable communicable diseases, child abuse, reporting an adverse drug reaction to the Federal Drug Administration, occurrence of cancer in a state with a cancer registry, meningitis, and immunizations for children.  These examples are thought to be important to the health of the public (Campos-Outcalt, 2004).

Patient Consent and Authorization

HIPAA makes a distinction between informed consent and patient authorization.  Patients are entitled to know exactly how an entity plans to use the information.

Informed consent is signed at the first encounter the patient has with the provider/health care facility; the consent covers treatment, payment, and other health care information.  The meaning and use of the patient’s consent must be carefully explained to the patient.  Facilities must explicate their disclosure process in a document called Information Practices.  The American Hospital Association published a sample consent and explanation document that was 10 pages long.  The document explains patient rights, as well as a description of how patient information is collected and used.  Facilities must decide how and when the information concerning consent is presented to patients and how patients can use their right to revoke consent.  Patients must also be advised about the agency’s policy that covers conditions for admission that are related to consent.

Patients may also sign authorizations.  These are required when information is used by the agency for purposes outside of treatment.  Agencies must assess their policies and procedures to assure that they are always using an authorization when it is needed; some agencies may not realize that information sharing policies violate the patient’s right to restrict release of data (Cichon, 2002).  Patients must be fully informed about the way agencies use a signed authorization and are entitled to receive a free accounting every twelve months describing how their health information has been used. 

HIPAA privacy regulations also mandate specific patient rights that include the following: 

  1. Right to privacy notice requires disclosure and reasonable effort to assure that the patient understands the agency’s policy concerning privacy of information.
  2. Right to request restrictions means that patients may specify health information that can not be released and/or, they may restrict to whom information can be released.
  3. Right to access of PHI means that patients must be allowed to inspect and copy information contained in the agency’s record.
  4. Right to know what disclosures have been made means the agency must track all information released and be able to provide documentation to the patient.
  5. Right to amend the PHI means that while patients may request amendments to the PHI and the agency must allow amendments, the agency may deny some requests.

Administrative Requirements

All covered entities are required to comply with certain procedural rules.  Most have had to develop new policies and procedures to address the many aspects covered under these rules. The following are some of the rules:

  1. Agencies must appoint a privacy officer who will monitor and audit compliance.
  2. Agencies must develop an internal compliance process that will assure no patient rights are violated, complaints are addressed and investigated, and that a process for remediation is in place.
  3. Training must be provided to employees to assure that they are informed about patient rights and disclosure of information.
  4. HIPAA requires that agencies document any and all violations and that sanctions parallel other disciplinary policies.
  5. Agencies must have a process for mitigating any harmful effect of disclosure.
  6. All forms of communication must be addressed in administrative safeguards.
  7. Agencies must agree and have policies that specify no retaliation for an employee or consumer who files a complaint.

Practical Application

Questions about the implications HIPAA rules have been numerous.  Can an office or laboratory have a patient sign in sheet?  Can you use a patient’s name to call him into a treatment room?  Can the patient’s name be posted outside the hospital door?  At this point, there is some agreement about some of these.  As long as personal information regarding the patient’s care or procedures to be done remain confidential, names can be outside hospital room doors, patients can be verbally called to treatment rooms, etc.  New questions will undoubtedly arise in the future.  Staying informed about the rules and regulations concerning HIPAA will be every health care worker’s obligation.           

Sign in sheets, once disallowed, can now be used along with bedside charts as long as reasonable precautions are taken to safeguard patient information.  Sign in sheets can only have the name and time; no information about the nature of the appointment can be included.  The patient can give consent or may decline to have information given to family members; facility staff is not obligated to verify the identity of relatives. 

HIPAA retains the rights of parents as the personal representative for minor children.  There are exceptions, however. Parents may decide that the child and provider have a confidential relationship that excludes the parent from receiving information.  A provider may choose to exclude the parent when abuse is suspected or when including the parent would endanger the child

Patients have the right to restrict clergy visits and religious information.  If the patient does want the clergy to visit, health care individuals should provide only the name and location of the patient.  They should not provide any information about the patient’s medical condition.  Further, patients have the right to restrict informing callers or visitors that they are in the hospital.  Most patients are asked on admission to the facility if they want such restrictions and, if they do, hospital workers may not acknowledge that a patient is in the hospital even including visitors, florists delivering flowers, etc.

Some information can be provided to law enforcement without patient consent.  Emergency technicians can contact the police at a crime scene and convey nature and location of the crime.  Information about a suspicious death may also be reported to the police.  HIPAA has a one call rule that permits contacting an organ procurement agency following a death. 

Repositories that store human tissue and fluids for future scientific analysis, i.e., genotyping, cell lines, other biotechnologies, express concern that HIPAA will fundamentally change how these commercial repositories function.  At question is whether property rights continue to apply to human tissue after removal from the body.  Prior to HIPAA, the Supreme Court in California ruled on the side of future research and determined that property rights end when tissue is removed from the body (Allen, 2004).  However, depending on how HIPAA rules are interpreted, informed consent may be required in order for research to be conducted on removed tissue. 

HIPAA and Research

Patients must sign an authorization to allow their information to be included in research projects.  Information can only be disclosed in accordance with a research protocol approved by an institutional review board.  All identifying individual information must be removed. 

One difficulty researchers may experience is the lack of specific guidance from HIPAA regarding construction of compliant, de-identified data sets, at this point researchers are developing strategies that they believe comply with the intent of privacy under HIPAA.  Ongoing analysis of medical information is critical for developing strategies to improve patient outcomes and reduce medical errors (Clause, Triller, Bornhorst, Hamilton, & Cosler, 2004).  Information that can be used in compliance with HIPAA includes:  gender, race, ethnicity marital status, dates of treatment if reported in years, age (for individuals older than 60, one must use 60+), and zip code if more than 20,000 reside in that zip code (Erlen, 2004)

Conclusion

HIPAA regulations require new behavior from health care professional and health care facilities.  Close coordination with other partners in health care delivery and reimbursement is mandatory to assure a continuous process of patient privacy. 

Restrictions and the ability to amend their protected health information give patients new control over what is documented in their personal health record.  Healthcare professionals may be challenged.  Involving patients as active participants in their care will dispel and avoid potential problems.

Administrators are advised to be sure staff is well trained and knowledgeable about the requirement of HIPAA.  Similarly, they many want to scrutinize day-to-day practices to evaluate whether violations of patients’ rights are occurring.

References

2013 Guide to HIPAA Compliance. (2013). Retrieved March 24, 2013, (Visit Source).

2013 HIPAA Guidelines. (2013). Retrieved March 24, 2013, (Visit Source).

Allen, M. D. (2004). Commercial tissue repositories:  HIPAA raises sponsors’ fears. Ethics and Human Behavior, 26(5), 9-11

Calloway, S. D. and Venegas, L. M. (2002).  The new HIPAA law on privacy and confidentiality.  Nursing Administrative Quarterly, 26(4), 40-54

Campos-Outcalt, D. (2004). How does HIPAA affect public health reporting?  The Journal of Family Practice, 53(9), 701-704

Centers for Medicare and Medicaid Services (n.d.) Retrieved May 30, 2005, (Visit Source).

Cichon, T. (2002). Implementing your HIPAA plan. Home Healthcare Nurse, 2012, 795-801

Clause, S.L., Triller, D. M., Bornhorst, C. P., Hamilton, R. A., & Cosler, L.E. (2004). Conforming to HIPAA regulations and compilation of research data. American Journal of Health System Pharmacy, 61, 1025-1031

DiBenedetto, D.V. (2003). HIPAA 101 Essentials for case management practice. Lippincott’s Case Management, 8(1), 14-23

Erlen, J.A. (2004). HIPAA clinical and ethical considerations for nurses. Orthopaedic Nursing, 23(6), 410-414

Follansbee, N. M. (2002). Implications for the health information portability and accountability act.  Journal of Nursing Administration, 32(1), 42-47

Gue, D.G. and Upham, R. (2004). The HIPAA prescription for healthcare why isn’t it working?  Health Management Technology, 25(9), 34-38

Herrin, B. S. (2003). Practical consideration of HIPAA privacy rules compliance.  Clinician News. January/February: 8, 19.


This course is applicable for the following professions:

Advanced Registered Nurse Practitioner (ARNP), Athletic Trainer (AT/AL), Certified Nursing Assistant (CNA), Clinical Nurse Specialist (CNS), Dietetic Technicians, Registered (DTR), Dietitian/Nutritionalist (RDN), Home Health Aid (HHA), Licensed Practical Nurse (LPN), Licensed Vocational Nurses (LVN), Midwife (MW), Registered Nurse (RN), Respiratory Therapist (RT)

Topics:

CPD: Prioritize People, CPD: Promote Professionalism and Trust, Legal & Regulatory


Last Updated: