Security in the Information Technology Arena

Over the past 20 some odd-years, we have heard phrases like HIPAA, Privacy, Patient Confidentiality, etc. being used when speaking about electronic medical records.  In this article, we will explain some terms and definitions related to patient privacy.

HIPAA – HIPAA stands for The Health Insurance Portability and Accountability Act.  The goals is to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

HIPAA Privacy Rule – This rule addresses the specifics regarding the use and disclosure of Private Health Information or PHI (ePHI for electronic records), by Covered Entities.

Covered Entities – There are several types of Covered Entities, all of which are subject to the HIPAA Privacy Rule.  Covered Entities include:

• Healthcare Providers – Every healthcare provider, regardless of size, who electronically transmits health information in connection with certain transactions such as Claim, Benefit Eligibility, Referral Authorizations, and other transactions that HHS (Health and Human Services) has established standards.
• Business Associates – A person or organization that is not employed by a Healthcare Provider but, as a part of their duties to the Healthcare Provider, uses or discloses Personal Identifiable Information (PII). These activities include Claims Processing, Data Analysis, Utilization Review, Billing, computer techs that might see a patient’s name or condition as part of their work, shredding companies, cleaning crews, etc.
• Permitted Uses and Disclosures – The law permits, but does not require, a covered entity to use and disclose PHI without an individual’s consent for the following purposes:
  • Disclosure to the individual (if the information is required for access or accounting of disclosures, the entity MUST disclose to the individual)
  • Treatment, payment, and healthcare operations
  • An entity can obtain informal permission by asking the individual outright or by circumstance that clearly give the individual the opportunity to agree, acquiesce, or object.
  • Incident to an otherwise permitted use and disclosure
  • Limited dataset for research, public health, or healthcare operations
  • Public interest and benefit activities. The Privacy Rule allows use of PHI, without the individual’s authorization or permission for 12 nation priority purposes.  The purposes include:
    • When required by law
    • Public health activities
    • Victims of abuse or neglect or domestic violence
    • Health oversight
    • Judicial and administrative proceedings
    • Law enforcement under certain circumstances
    • Identification concerning deceased persons
    • Organ, eye, or tissue donation
    • Research under certain conditions
    • To prevent or lessen a serious threat to health or safety
    • Essential government functions
    • Workers’ compensation

Basically, HIPAA regulates PHI and ePHI to a need-to-know basis.  Anyone without the need-to-know, who is not a Covered Entity, should not see PHI or ePHI unless disclosed by the patient.