Chapter 4: Definition of HIPAA & HITECH
The Health Insurance Portability and Accountability Act of 1996, or HIPAA , is legislation that…
- Establishes national standards for electronic healthcare records and patient privacy.
- Defines policies, procedures, and guidelines for maintaining the privacy and security of health information.
The Health Information Technology for Economic and Clinical Health Act, or HITECH , is a 2009 update to HIPAA that…
- Aims to improve the privacy and security of sensitive medical data.
- Incentivizes and improves the meaningful use of electronic health records across the medical industry.
- Expands the types of entities that must adhere to HIPAA privacy guidelines and increases the penalties for those who don't follow the rules.
Great Definitions! What Do They Mean?
Basically, HIPAA and HITECH are the rules that hospitals, doctors, healthcare insurance providers, and healthcare workers have to follow when dealing with what's known as "protected health information" (PHI). PHI is any information concerning an individual's health status, provision of healthcare, or payment for healthcare. In other words, it's any part of an individual's medical record or payment history.
In a nutshell, these laws aim to protect patient privacy.
So what do nurses need to know in order to comply with these laws? To get a good understanding of the requirements, read the Summary of the HIPAA Privacy Rule by the US Department of Health and Human Services. But for a quick breakdown, here are some key details:
- The rules apply to protected health information in any form: electronic, paper, or spoken.
- A nurse is only required to disclose PHI in two situations:
- To individuals or their personal representatives when they request access to their PHI.
- To the Department of Health and Human Services when under investigation.
- A nurse is permitted, but not required, to disclose PHI without an individual's authorization…
- When speaking to the individual.
- For treatment, payment, and healthcare operations.
- In a situation where the individual needs to agree or object.
- When required by law (e.g., situations of abuse, law enforcement purposes, or judicial proceedings).
- In a limited data set for medical research.
HIPAA establishes standards for protecting, storing, and transmitting confidential health information.
Another key point is that the law generally states that when PHI is disclosed, only the minimum amount of information necessary should be included.
HIPAA and HITECH also include administrative requirements to keep PHI safe. Generally, covered entities must…
- Have privacy policies and procedures in place.
- Train staff members on privacy regulations.
- Use physical, administrative, and technical safeguards when it comes to data, such as shredding documents, limiting access, or encrypting information and requiring passwords.
From a risk perspective, HIPAA violations are the most significant concern for nurses after malpractice exposures. Failure to stay compliant with HIPAA regulations can result in serious civil fines and even lawsuits.
Depending on your services, you may have to approach HIPAA regulations differently. An independent nurse will have different responsibilities than a nurse practitioner running a clinic, for example. Be sure to study the law and know how to stay compliant. Most of it is largely common sense, fortunately, but that sense can be the difference between a happy patient and a hefty fine.
HITECH expands the reach of HIPAA by increasing penalties for violations and the covering more entities.
Next: Chapter 5: Financial Penalties for HIPAA Violations