Complying with the Health Insurance Portability and Accountability Act. Privacy standards

Abstract

The Privacy Rule: Limits the use and disclosure of PHI to purposes of treatment, payment, or routine health care operations. Requires covered entities to provide advance notice to the public of its policy governing disclosure of PHI. Requires entities covered by the Standard to secure general client consent to use and to disclose PHI for treatment, payment, or routine health care operations and to obtain specific client authorization to use or to disclose PHI for all other purposes unless the disclosure is specifically permitted without consent or authorization (e.g., a covered entity may disclose PHI to a health care oversight agency such as the Office of the Inspector General without first obtaining client authorization). In certain situations, a covered entity need only obtain client agreement to disclose PHI which may be oral or inferred from the circumstances surrounding the disclosure. For example, a covered entity could disclose PHI to a relative caring for the individual who is the subject of the health information. Expects covered entities to take measures to protect PHI from both inadvertent and deliberate misuse and disclosure. Requires, except in certain circumstances, the amount of PHI disclosed on any occasion to be limited to the minimum necessary to achieve the purpose of the disclosure. Gives individuals more control of their health information by permitting them to review and amend health information pertaining to themselves and to demand an accounting of persons to whom their health information has been disclosed. Establishes terms under which a covered entity may disclose PHI to a business associate. Permits states to maintain state laws that are more stringent than the Privacy Rule. The statute provides for significant civil and criminal penalties for failure to comply with the Standards. Violations are punishable by fines as much as $250,000 and 10 years imprisonment. The HHS, Office of Civil Rights is charged with enforcing the Standards. The HHS is expected to issue a single Enforcement Rule applicable to all three of the HIPAA Administrative Simplification Standards. Many worksite records will not be protected under the HIPAA Privacy Rule because employers are not covered entities and few occupational health professionals meet the criteria of being considered a covered entity. Nevertheless, occupational health professionals need to be knowledgeable about the application of HIPAA in the occupational health care setting. Furthermore, given that the Rule does not preempt state privacy laws that are more stringent than the Standards, occupational health professionals should monitor legislative activity related to privacy in the states in which they practice. To date, Oregon, Texas, and New Jersey have broadened HIPAA's definitions to create more covered entities and services.