|  | Healthcare Industry | General Healthcare Industry

How to Protect HIPAA Privacy

HIPAA, or the Health Insurance Portability and Accountability Act, was signed into law in 1996. It changed the way health information is handled, created standards for electronic claims, implemented national identifiers, and insured the security and privacy of patient information. HIPAA's Privacy Rule provides federal protections for personal health information held by "covered entities" and "gives patients an array of rights with respect to that information.” The Privacy Rule states how protected health information (PHI) should be handled including who can view patient information, when authorization for release is required, and implementation of policies for disclosure of information.

Things You'll Need

  • Patient information
  • HIPAA guidelines
Show More

Instructions

  1. Protecting patient information under HIPAA

    • 1

      Create authorizations that plainly give the health care provider permission to disclose protected health information for treatment, payment, business operations and other reasons like marketing and research.

    • 2

      Ensure that business associates who are not covered entities have signed the appropriate contracts and releases. The Department of Health and Human Services (DHHS) defines business associate as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.”

    • 3

      Implement release policies for proper disclosure of information. Create policies and procedures that follow appropriate authorization guidelines. For example, HIPAA’s Privacy Rule states that release of psychotherapy notes and PHI released for marketing requires special authorization.

    • 4

      Understand required disclosures. HIPAA requires the release of PHI to patients who want to review their own medical information and to the DHHS when reviewing records during a compliance investigation.

    • 5

      Understand permitted disclosures without authorization. HIPAA allows for six circumstances of PHI disclosure without an authorization: for a patient’s own information, when it is "incidental" (or accidentally released), for TPO (treatment, payment, operations), for inclusion into a directory of patients, for public health and research.

    • 6

      Limit disclosure of the patient’s information to the "minimum necessary." This means only the information necessary to complete the request should be provided. The minimum necessary requirement states that "protected health information should not be used or disclosed when it is not necessary to satisfy a particular purpose or carry out a function.”

    • 7

      De-identify health information released for research and marketing purposes. Remove name, address, social security number, phone number, etc., so that a patient may not be identified from the information released.

    • 8

      Provide adequate staff training. Each patient must be provided with a "Notice of Privacy Practices" (NOPP) when being treated by a health care provider. A signed notice of receipt must be obtained from the patient and kept in their medical record.

General Healthcare Industry - Related Articles