Initiatives
What’s New
Membership
Industry Events
Resources
Foundation
About Us
Site Map
Contact Us
Home
 Strategic National Implementation  Process (SNIP)
 National Provider Identifier Outreach Initiative (NPIOI)
 WEDI Regional Affiliates (WRA)
 WEDI Collaborations
 Policy and Advisory Groups(PAGS)
 NCHICA/WEDI Timeline Initiative
 Health ID Card Implementation Guide
 Clinical and EHR
 Health Savings Accounts / High Deductible Health Plans
 WEDI News and Events
 Overview
 Join & Membership Forms
 WEDI Member Newsletters
 Committees
 Policy Advisory Groups  (PAGs)
 List Serves and Forums
 Industry Events Calendar
 WEDI Comments
 WEDI Bulletins
 WEDI Member Newsletters
 WEDI Policy Advisory Groups
 Presentations
 White Papers
 Clinical IT Resources
 HIPAA Resources
 WEDI Listservs
 WEDI Listserv Archives
 Mission and Purpose
 WEDI Vision, Mission and  Guiding Principles
 Membership Information
 Join WEDI
 Board of Directors
 Committees
 WEDI Policy Advisory Groups  (PAG)
 Staff
 WEDI Member Directory
 WEDI Bylaws
 Board of Directors Members- Only Section
 
About the Strategic National Implementation Process (SNIP)

What's New in SNIP

Workgroups and Listservs

Regional SNIP Efforts

NCHICA/WEDI Timeline Initiative

Health ID Card Implementation Guide

SNIP Work Products

National Provider Identifier Outreach Initiative (NPIOI)

Other HIPAA Resources

What's HIPAA?

Transaction Workgroup

Security and Privacy Workgroup

Clinical and Electronic Health Record Initiatives

Health Savings Accounts / High Deductible Health Plans

SNIP Site Map

Health IT Certification
 
 

Search WEDI for:

  
 


Workgroup for Electronic Data Interchange

Dedicated to improving healthcare through Electronic Commerce.

Find some of the latest programs, products and free resources from WEDI.

 		  
 
What_is_HIPAA.gif

Privacy

Background

Under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, the US Department of Health and Human Services (DHHS) published on November 3, 1999 proposed regulations establishing  national standards for privacy of health information.

Who Is Subject to These Regulations?
("Covered Entities")
The following entities are covered by the proposed regulations:

  • All health care providers who choose to transmit health information electronically

  • All health plans

  • All health care clearinghouses
    • Covered entities would be allowed to disclose health information to persons or organizations they hire to perform functions on their behalf.  These "business partners" would not be permitted, under contractual obligation with the covered entity, to use or disclose protected health information in ways that would not be permitted of the covered entity itself.

    What Health Information Is Covered by the Proposed Regulations?
    ("Protected health information")

    The proposed regulations protect health information that 1) identifies an individual and 2) is maintained or exchanged electronically.  If the information has any components that could be used to identify a person, it would be covered.  The protection would stay with the information as long as the information is in the hands of a covered entity or a business partner. The paper progeny of electronic information is covered (i.e. the information would not lose its protections simply because it is printed out of a computer).

    Uses and Disclosures Permitted with Individual Authorization

    Covered entities could use or disclose protected health information with the individual. s authorization for any lawful purpose.  A standard form would be established for this purpose.  Each authorization must specify the information to be disclosed, who would get the information, and when the authorization would expire.  Individuals could revoke an authorization at any time.
    The regulations would prohibit covered entities from conditioning treatment or payment on the individual agreeing to disclose information for other purposes, and require the authorization form to state this prohibition.

    Disclosures Permitted Without Authorization for Health Care Treatment, Payment, and Operations

    Covered entities could use and disclose protected health information without authorization for treatment, payment and health care operations. This would include purposes such as quality assurance, utilization review, credentialing, and other activities that are part of ensuring appropriate treatment and payment.  Individuals may ask a covered entity to restrict further use and disclosure of protected health information for treatment, payment, or health care operations (with the exception of uses or disclosures required by law). The covered entity would not be required to agree to such a request, but if the covered entity and the individual agree to a restriction, the covered entity would be bound by the agreement.

    Other Uses and Disclosures of Health Information Permitted Without Authorization
    Covered entities could use and disclose protected health information without individual authorization for the following national priority activities:

  • Oversight of the health care system, including quality assurance activities

  • Public health, and in emergencies affecting life or safety

  • Research

  • Judicial and administrative proceedings

  • Law enforcement

  • To provide information to next-of-kin

  • For government health data systems

  • For identification of the body of a deceased person, or the cause of death

  • For facilities' (hospitals, etc.) directories

  • To financial institutions, for processing payments for health care

  • In other situations where the use of disclosure is mandated by other laws.
    • Individual rights:
    The proposed rule would provide basic rights for individuals with respect to their protected health
    information.  Individuals would have:
  • The right to receive a written notice of information practices from health plans and providers. The notice must describe the types of uses and disclosures that the plan or provider would make with health information (not just those uses and disclosures that could  lawfully be made).The right to obtain access to protected health information about them, including a right to inspect and obtain a copy of the information.

  • The right to request amendment or correction of protected health information that is inaccurate or incomplete.

  • The right to receive an accounting of the instances where protected health information about them has been disclosed by a covered entity for purposes other than treatment, payment, or health care operations.
    • Administrative Requirements for Covered Entities

    Under the proposed rules, providers and payers are required to implement basic administrative procedures to protect health information.  Among them:

  • Develop a Notice of Information Practice;

  • Allow individuals to inspect and copy their protected health information.

  • Develop a mechanism for accounting all disclosures made for purposes other than treatment, payment, and HC operations.

  • Allow individuals to request amendments or corrections to their protected health information.

  • Designate a privacy official;

  • Provide privacy training to members of its workforce who would have access to protected health information;

  • Implement physical and administrative safeguards to protect health information from intentional or accidental misuse;

  • Establish policies and procedures to allow Individuals to log complaints about the entity's information practices, and maintain a record of any complaints; and

  • Develop a system of sanctions for members of the workforce and business partners who violate the entity's policies.

  • Have available documentation regarding compliance with the requirements of the

  • regulation.

  • Develop methods for disclosing only the minimum amount of protected information necessary to accomplish any intended purpose.

  • Develop and use contracts that will ensure that business partners also protect the privacy of identifiable health information.
    • Preemption of State Laws

    Pursuant to the HIPAA law, this rule will preempt state laws that are in conflict with the regulatory requirements with exceptions for certain public health functions and related activities.

    Enforcement and Penalties
    Under HIPAA, the Secretary is granted the authority to impose civil monetary penalties against those covered entities that fail to comply with the requirements of this regulation.
     
    Background papers courtesy of Walter Suarez, MD, Executive Director of the Minnesota Health Data Institute and the Minnesota Electronic Commerce Healthcare Users Group (MEHUG).
     


    		 Back to What is HIPAA




    Some links are to pdf format files and require Adobe® Acrobat® Reader to view.
     
      Email This PagePrint This PageGo Top
    Workgroup for Electronic Data Interchange  |  Webmaster  |  Disclaimer   |   Site Help
    Copyright © 2000-2004 Workgroup for Electronic Data Interchange (WEDI) All rights reserved. 
     Site best viewed with Internet Explorer 5.0+ or Netscape 6.0+ in 800x600 resolution