The Health Insurance Portability and Accountability Act of 1996, also known as HIPAA, is not only a federal legislation mandating the establishment of national standards to safeguard confidential patient health information but also acts as a preventive measure to regulate the unauthorized disclosure without the patient’s consent or awareness.
The United States Department of Health and Human Services, commonly called the HHS, was brought into force by the Health Insurance Portability and Accountability Act Privacy Rule in order to put into play the aforesaid legislation’s provisions.
On the other hand, the Health Insurance Portability and Accountability Act Security Rule had aimed its focus on safeguarding a specific set of information that has been outlined under the ambit of the Privacy Rule.
1. The Health Insurance Portability and Accountability Act Privacy Rule
The set of standards curated precisely under the scope of the Privacy Rule revolves around the utilization as well as the disclosure of individuals’ health information. Referred to as protected health information, shortened PHI, by authorities who are bestowed with the power to enforce the Privacy Rule, are known as “covered entities.”
From addressing individuals’ rights that enable comprehension to manage the utilization of their health information, the aforesaid rule takes under its umbrella a wide scope of duties to maintain healthcare privacy in a nutshell.
On the same lines of thought, it is essential to determine the fact that the primary objective of the Privacy Rule is not only to ensure the appropriate protection of individuals’ health information but also to facilitate the necessary flow of such information for the provision followed by enhancing high-quality forms of healthcare.
Complementing the same, it aims to safeguard public health and well-being as the said regulation allows essential uses of information while upholding the privacy rights of those who are seeking care and healing.
2. The Statutory Background of The Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act of 1996, which is officially known as Public Law 104-191, was brought into force as a law on August 21, 1996.
Within the said legislation’s purview, Sections 261 through 264 had mandated the Secretary of the Department of Health and Human Services, commonly called the HHS, to establish standards that not dealt with the factions of electronic exchange, privacy but also the confidentiality, which is the security of health information.
The fact that these provisions, which are referred to as Administrative Simplification, were aimed to streamline administrative processes in the healthcare sector serves as a highlight.
On the same lines of thought, the Health Insurance Portability and Accountability Act also ensured the idea that the Secretary is needed to formulate privacy regulations that govern individually identifiable health information if Congress failed to pass privacy legislation within three years of the said regulation’s enactment.
Diving into the idea further, the fact that Congress had not enacted such legislation, the United States Department of Health and Human Services had brought into play a proposed rule, which was to be released for public comment on November 3, 1999.
Following the aforementioned, the said department of authority received an extensive response with over 52,000 public comments, which led to the final version of the regulation, which was officially called the Privacy Rule, published on December 28, 2000.
Complementing the same, in March 2002, the Department of Health and Human Services introduced proposed modifications to the Privacy Rule, which was again made available for public feedback. After receiving a substantial response, with over 11,000 comments from the general citizens, the Health and Human Services then finalized the legislation, with modifications that were officially published on August 14, 2002.
A comprehensive text that not only takes under its umbrella both the initial regulation and subsequent modifications but was put out for public use in 45 CFR Part 160 and Part 164, Subparts A and E.
3. The Modus Operandi of The Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act makes it a point to ensure that not only the accessibility and portability but also the idea of renewability of individual healthcare plans are maintained.
Complementing the same, to establish the standards and methods for secure sharing of medical data within the United States health system to prevent fraud is another aspect to be highlighted, in addition to the essence that it holds clear-cut precedence over state law, except when state regulations are made to be more stringent.
On the same lines of thought, it is ideal to mention the fact that since its inception in 1996, the said legislation has undergone radical modifications in order to incorporate procedures for the securing of storage and electronic sharing of patient medical information.
Not only the aforesaid but also the idea that it encompasses administrative simplification provisions that are solely designed to enhance efficiency as well as reduce administrative costs by bringing national standards into play adds another pillar of importance.
What stands as a moment of essentiality is when, in 2009, the Health Information Technology for Economic and Clinical Health Act, also known as the HITECH, expanded The Health Insurance Portability and Accountability Act’s privacy and security protections.
Brought into existence as a part of the American Recovery and Reinvestment Act of 2009, the Health Information Technology for Economic and Clinical Health Act not only aims to promote the use of health information technology but also focuses on addressing privacy and security concerns within the said provisions.
3.1. The Covered Entities
It has been categorically observed that the Privacy Rule, along with all the regulations that fall under the ambit of Administrative Simplification, has been made applicable to health plans, health care clearinghouses, as well as any health care provider that has the power to electronically transmit health information in connection with transactions.
The aforesaid transactions are those that are governed by standards curated under the scope of The Health Insurance Portability and Accountability Act by the Secretary of the Department of Health and Human Services. Thus, these entities holding such authority are referred to as “covered entities.”
3.2. The Health Plans
Offering individual and group plans that take under surveillance the cost of medical care are those authorities who are called covered entities, as stated previously. From health, dental, vision, prescription drug insurers, and health maintenance organizations to Medicare, Medicaid, Medicare+Choice, Medicare supplement insurers, and long-term care insurers, which stand exclusive of nursing home fixed-indemnity policies, the health plans have the power to bestow upon insurances in various factions.
On the same lines, it is essential to put forth the idea that this definition extends its scope to employer-sponsored group health plans, government and church-sponsored health plans, as well as multiemployer health plans. However, the fact that there are exceptions is an important aspect to keep in mind.
Taking as an illustration is the essence that a group health plan with fewer than 50 participants that is solely administered by the employer is not to be considered a covered entity.
Running on the same lines of thought, several government-aided programs are not primarily focused on providing or covering the cost of health care, that stands inclusive of the food stamps program, as well as those which are directly involved in providing health care, such as community health centers, are not categorized as health plans.
Complementing the same, the fact that certain types of insurance entities, which take under their umbrella those exclusively offering workers’ compensation, automobile insurance, and property/casualty insurance, are not considered health plans is an aspect of essentiality.
In cases where an insurance entity has distinct lines of business, then the Health Insurance Portability and Accountability Act’s regulations are made applicable specifically to the line of business that stands in relation to health plans.
3.3. The Health Care Providers
It has been categorically observed that every healthcare provider, irrespective of its size, is termed as a covered entity if it electronically transmits health information with regard to specific situations and interactions.
From claims, benefit eligibility inquiries, and referral authorization requests to any other aspect for which the Department of Health and Human Services has brought into force such crafted standards under the Health Insurance Portability and Accountability Act Transactions Rule, the aforesaid scenarios stand inclusive of transactions that involve technological interference.
What serves as an essential element is the fact that merely using electronic technology or medium, such as an email, does not automatically classify a health care provider as a covered entity unless the electronic transmission is certainly linked to a standard task of transaction.
On the same lines of thought, the concept of Privacy Rule serves to be applicable to health care providers, irrespective of whether they transmit the aforementioned directly, utilize a billing service or take into play any other third party for transmission.
Encompassing both providers of services which stands inclusive of institutional providers like hospitals as well as providers of medical or health services such as non-institutional providers like physicians, dentists, and other practitioners, as defined by Medicare, is the entire scope of the term “health care providers”.
Not only the afore-stated, but the fact that it also includes any individual or organization who is vested in furnishing, billing, or receiving payment for health care services serves to be pinpointed.
3.4. The Health Care Clearinghouses
In addition to the health plans and health care service providers lies the idea of health care clearinghouses, which are entities holding specialized skills in processing nonstandard information that is brought into action from another entity into a standardized format or data content, and vice versa.
Complementing the same, to highlight the fact that in the majority of cases, healthcare clearinghouses receive certain individually identifiable health information when offering processing services to a health plan or healthcare provider as a business associate serves as a matter of consideration.
In such aforesaid scenarios, it is noted that only specific provisions of the Privacy Rule apply to the health care clearinghouse’s uses as well as disclosures of protected health information.
Taking as an illustration, healthcare clearinghouses take under its assistance the concepts of billing services, repricing companies, community health management information systems, as well as value-added networks and switches. However, it is essential to state that these entities must perform clearinghouse functions for the aforesaid to be enforced.
3.5. The Business Associates
As stated earlier, for a health plan or healthcare provider to function as a business associate, it deems it essential to understand what the latter means. Defined as an individual or entity that stands exclusive of members of a covered entity’s workforce, a business associate generally performs specific functions or activities on behalf of or provides particular services to a covered entity, which takes into account the use or disclosure of individually identifiable health information.
On the same lines of thought, the functions or activities that are executed by a business associate for a covered entity are inclusive of arenas such as claims processing, data analysis, utilization review, and billing.
The services bestowed by a business associate upon a covered entity are not only limited to legal, actuarial, and accounting but also for consulting, data aggregation, management, administrative, accreditation, and financial services.
What serves to be errant in nature is the essence that individuals or organizations are not considered business associates if their services do not revolve around the use or disclosure of protected health information, which leads to the fact that any access to such information by these entities would be incidental, if it occurs at all. The idea that a covered entity itself can also bestow authority as the business associate of another covered entity is an aspect of great importance.
3.6. The Business Associate Contracts
Complementing the aforesaid aspect, it can be observed that when a covered entity engages a contractor or a third party to perform services or activities that fall under the ambit of a business associate, the Health Insurance Portability and Accountability Act’s Privacy Rule mandates the inclusion of specific protections for the information through a business associate agreement.
On the same lines of thought, it is essential to state that for covered entities that had an existing written contract or agreement with business associates prior to October 15, 2002, as well as who did not renew the same before April 14, 2003, were permitted to operate in the same way as before, under that contract until either the said was renewed or modified, or until the latter date prevailed, whichever popped first.
4. The Confidential Information Under The Act
To understand the concept of The Health Insurance Portability and Accountability Act, it is essential to shine a light on the aspects of information that fall under the ambit of protection granted by the aforesaid legislation.
4.1. The Concept of Protected Health Information
The entire crux of the Privacy Rule is that it safeguards all “individually identifiable health information” that is either held or transmitted by a covered entity or its business associate, that stands irrespective of the form or medium, such as whether it is derived from electronic, paper, or oral method. Thus, the aforesaid information is known as “protected health information” or the “PHI.”
As used throughout the article, the term “Individually identifiable health information” takes under its umbrella the essence of data, including demographic details, which is related to:
- The individual’s past, present, or future physical or any other mental health or condition
- The provision of health care to the individual
- The past, present, or future payment for the provision of health care granted to the individual
Delving further into the said thoughts, such information either identifies the individual or has a reasonable basis to believe that it can be used for the methodology of identification. From deciphering the name, address, and birth date to Social Security Number, common identifiers within individually identifiable health information are deemed inclusive of the aforesaid for the unveiling of the identity.
What stands apart is the idea that the Health Insurance Portability and Accountability Act’s Privacy Rule does not include employment records that are maintained by any of the covered entities, as stated prior, in its role as an employer from the definition of protected health information.
On the same lines, certain records that are subjected to or are defined in the Family Educational Rights and Privacy Act, 20 U.S.C. Section 1232g, that refers to education records, are also excluded from the category of “protected health information.”
4.2. The Idea of De-Identified Health Information
As put forth above, there is a concept of identified health information where the presence of the individual related to the individual is deciphered. However, it is essential to state a scenario where such an identity is not disclosed.
Adding on the aforesaid further, there are no constraints on the use or disclosure of de-identified health information as such data neither does identify nor provide a reasonable basis to unveil an individual. The de-identification process can be executed via two methods:
- Formal Determination by a Qualified Statistician: This refers to a process where a qualified statistician officially determines the de-identification of the information.
- Removal of Specified Identifiers: Running on the same lines of thought, another procedure is where the de-identification can occur by removing specific identifiers of the individual, their relatives, household members, and employers. Such aforementioned method is considered adequate only if the covered entity holds no actual knowledge that the remaining information could still be used to get data on the individual.
5. The General Principle for Uses and Disclosures of Health Information
Understanding the basics of the uses and disclosures of health data, it can be said that the primary objective of the proverbial Health Insurance Portability and Accountability Act’s Privacy Rule is not only to establish but also restrict the circumstances under which an individual’s protected health information is officially used or is to be disclosed by any of the above-said covered entities.
The fact that the covered entities are prohibited from using or disclosing protected health information unless certain conditions are met serves to be of a highlight.
An obvious circumstance is where the unveiling of the health data is properly supervised. This refers to the fact that covered entities are only allowed to use or disclose protected health information when it stands in accordance with any aspect of the Privacy Rule that authorizes or permits the said action.
On similar planes of thought, there is another method through which such disclosure is seemingly powered.
The idea that covered entities can indulge in the usage and divulgence of health information, which has been categorized under the said rule, is if the individual around whom the data is based, or if their personal representative, bestows upon a green signal, meaning there must be a written authorization for such work revolving around the said utilization of knowledge.
Where the modus operandi of how the revelation of safeguarded health information is brought into play, it also deems it essential to comprehend which situation requires such a drastic step. A covered entity is obligated to disclose such data in certain, specifically crafted scenarios only, which are described as follows:
- To Individuals or Their Personal Representatives: As the header suggests, the unveiling of such protected data is done to the subject person. In specific, it is typically when individuals request access to their protected health information or wish to understand the accounting of disclosures. Only then shall the covered entity provide the requested facts.
- To the Department of Health and Human Services or the HHS: Granting such data to the Department of Health and Human Services is required when the said authority of power is either engaged in a compliance investigation or review or has to conduct an enforcement action. It is essential to note that only the said department can ever seek access to such a safeguarded realm of facts.
Federal legislation that has the authority to mandate the establishment of national standards to safeguard confidential patient health information as a safety measure to regulate unauthorized disclosure without the patient’s consent is the entire essence of the Health Insurance Portability and Accountability Act of 1996. The Privacy Rule, brought by the said legislation not only describes the aspects of covered entities but also states when and how such disclosure can be powered.