What Is HIPAA and Where Did It Come From?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal issue and was signed by President Clinton in 1996. This Act ensures that individuals would be able to renew or obtain health insurance in the event of a job loss or change in jobs. This guarantees portability across employment settings and would reduce and hopefully eliminate discrimination against those individuals with a preexisting medical condition. This legislation was expanded to include administrative simplification and healthcare abuse and fraud which for the most part, focused on issues with respect to privacy of patient’s health information.
The administrative simplification is divided into two categories, standardizing shared electronic information and protecting privacy and security of patient information that is stored in the electronic medical record. The privacy of patient information prompted the drafting of the Privacy Rule. The U.S. Department of Health and Human Services (HHS) issued the Privacy Rule that was to be implemented as a requirement of the Health Insurance Portability and Accountability Act of 1996. The requirements are outlined in the Summary of the HIPAA Privacy Rule.
The HHS published a proposed rule defining privacy standards for individually identifiable health information on November 3, 1999. The proposed rule was available to the public for review and the resulting comments generated by the public exceeded 52,000. These comments were organized and generated in a response to the proposed rule. The HHS took the comments under consideration and issued a final rule on December 28, 2000 that formally established the standards for Privacy of Individually Identifiable Health Information more commonly known as the Privacy Rule.
The Privacy Rule standards address the use and disclosure of individuals’ health information called protected health information. Organizations that are required to demonstrate compliance with the privacy standards for individuals’ privacy rights must understand and control how their patient’s health information is used. The Privacy Rule outlines regulations that govern the access, use, and disclosure of personal health information.
The O’Neill Institute (2009) drafted an Executive Summary that defines the final goal of the Privacy Rule: to ensure that an individual’s health information is readily accessible to healthcare providers who are authorized to access the information and the individual’s health information is also kept confidential and protected from inappropriate use.
Since the enactment of the Privacy Rule there has been much confusion and misunderstanding about how the Privacy Rule is applied to various situations. The final Privacy Rule was enacted in 2001 and special guidelines were drafted to address the concerns regarding the application of the Privacy Rule to unique healthcare activities. Within the HHS is the Office for Civil Rights (OCR). This office has the responsibility for implementing and enforcing the Privacy Rule with respect to compliance activities. Money penalties are enforced for non-compliance by healthcare entities.
The notice of privacy practices must be in writing and patients must be informed of their rights according to their personal health information. These rights covered the access of medical records, the amendment of information contained within their personal medical record, an accounting of individuals who have had access to their medical information and special request to limit disclosure of sensitive information. When the electronic health record began to emerge further concerns regarding the protection of health information had to be dealt with on a different level.
The American Recovery and Reinvestment Act (ARRA) was passed in 2009. The Health Information Technology for Economic and Clinical Health (HITECH) was passed as a part of the ARRA. The goal of funding this initiative was to develop advanced health information technology that would be used nationwide and organizations would be incentivized to participate and adopt a culture representing an advanced health information organizations. Healthcare facilities are expected to have in place a certified electronic health record that meets the requirements of HIPAA, the Privacy Rule, HITECH and ARRA. If this is accomplished, the healthcare facility would be allocated additional funding to assist with the provision of patient care. The full implementation of an electronic system is expected to be in place by the end of year 2013.