Privacy and Confidentiality - HIPAA

The health care industry has set rules and regulations governing privacy and confidentiality of patient data. According to Wagner, Lee and Glasser, privacy is a person’s right to be free from unwarranted publicity and to live their live apart from public view and in private. Privacy of health care data is a person’s right to ensure their health information remains confidential and out of the public domain. Confidentiality is the expectation that an individual’s health care data are used only for their intended purpose and only disclosed for purposes related to the course of treatment

The Health Information Portability and Accountability Act (HIPAA) is the federal statute that governs the use of health information and ensures protection of private health information. When HIPAA was introduced in 1996, it contained two main title components. Title I addresses health care plans offering protections to individuals for job changes or changes to their health insurance policies. Title II covers the legality that enacts privacy regulations governing individually identifiable health information.

HIPAA as a federal law, is meant to be the minimum standard for privacy and confidentiality of health information. HIPAA encourages states and accrediting organizations to expand upon, and augment the protections provided. HIPAA was not the first attempt to create regulations for the privacy and confidentiality of an individual’s health information. The first attempt was the Privacy Act of 1974, which was the reaction to the 1966 Freedom of Information Act (FOIA). FOIA allows for the American public to obtain records and information from the federal government. It has some notable exceptions, most importantly regarding personal and medical information. Thus the Privacy Act of 1974 was put in place to govern the use of this sensitive information while offering patient confidentiality protections. The problem with Privacy Act was its reach, as it was limited to federal facilities such as the Veterans Administration and Indian Health Service facilities. 42 C.F.R. (Code of Federal Regulations) Part 2 was created out of the concern for the privacy and confidentiality of patients undergoing drug and alcohol treatment and has gone through multiple amendments, with the latest in 1999. HIPAA was the first law to offer fully comprehensive rules and regulations for the privacy and confidentiality of an individual’s private health information. HIPAA has gone through some changes as well, the last of which were introduced in 2012.

HIPAA contains definitions for Protected Health Information (PHI), defines the covered entities, and identifies both the people and organizations that must be in compliance. PHI is broadly defined as information that relates to a person’s mental or physical health, provisions for health care or the payment for health care. To be PHI the information must identify the individual represented. The medical information must be created or received by a covered entity and can be transmitted or maintained in any modality (verbal communication, paper & electronic). The definition for covered entities is broad and includes health care providers who essentially create or receive any type of private health information. Clearing houses that process health information for purposes such as billing, and sales of health plans are also considered covered entities.

The HIPAA privacy rule is made up of 5 main parts: boundaries, security, consumer control, accountability and public responsibly. Boundaries set the limitations for use of private health information, have very limited exceptions, and ensure the PHI is only used for health purposes. Security ensures PHI is not distributed without the patient’s consent unless there is a clearly defined need. Consumer control gives individuals the ability to access and control their health records and to be informed of the purposes for disclosure and use. Accountability defines criminal laws and punishments for violations of the regulations. And finally, public responsibility defines that in the individual's interests must not override national priorities in public health, medical research or investigations of fraud and other general law enforcement needs.

The HIPAA privacy rules were expanded in 2012 with the introduction of the Health Information Technology for Economic and Clinical Health (HITECH) Act, meant primarily to provide Medicare and Medicaid incentives for physicians and hospitals to adopt electronic health records. The expansion includes the establishment of new criminal and civil penalties for noncompliance; the mandate for reporting data breaches in all covered entities and business associates; the application of the privacy and security requirements to business associates of covered entities; and the creation of new privacy requirements, including the right of an individual to prevent the disclosure of health information to health plans, if the plan was not involved with payment for the health care. There are also provisions for accounting for the disclosure of health information.

The health care industry has many rules and regulations governing the privacy and confidentiality of an individual’s health information. States may have their own individual patchwork of laws and the federal government has instituted many such regulations over the years. However, HIPAA first introduced in 1996 was the first truly comprehensive set of rules and regulations to provide protections for PHI. It defines protected health information, the entities that utilize health information and has provisions and rules on how the data can be used. It provides for criminal and civil penalties for noncompliance and established accounting and reporting practices for security breaches of private health data.

Wager, K. A., Lee, F. W., Glaser, J. P., & Wager, K. A. (2009). Health care information systems: A practical approach for health care management. San Francisco, CA: Jossey-Bass.

p. 241-247