HIPAA: What Is It, and Why Does It Matter to You?
No, HIPAA is not short-hand for hippopotamus. Nor is it something bad. In fact, it’s something good. Fill out any paperwork at a doctor’s office, and you will be asked to review and sign a HIPAA authorization and release. What is HIPAA?
HIPAA is a federal law protecting your health information. The acronym “HIPAA” stands for “Health Insurance Portability and Accountability Act of 1996.” Its purpose is to protect your privacy rights as a patient.
When Congress enacted HIPAA in 1996, Congress put in place, for the first time, national standards for protecting health information. HIPAA required the Secretary of the Department of Health and Human Services (“HHS”) to issue privacy regulations governing individual health information if Congress did not enact privacy legislation by 1999. When Congress did not, HHS developed its proposed rule in 1999 and released it for comment in 1999 and 2002. The final “Privacy Rule” was published in August 2002, found at 45 C.F.R. Parts 160 and 164, Subparts A and E.
That Privacy Rule, accompanied by state laws, is the reason for the paperwork and practices we see in the medical field governing personal health information. Now that we are at the 20-year mark of the Privacy Rule becoming effective, it seems an opportune time to examine what it requires.
The Big Picture:
The guiding principle of the Privacy Rule is a “covered entity” may not use or disclose your “protected health information” without authorization. The Privacy Rule authorizes certain disclosures. You or your personal representative may authorize other disclosures.
Who is a “Personal Representative”?
A “personal representative” for HIPAA purposes is a person legally authorized to make health care decisions on an individual’s behalf or to act for a deceased individual or estate. Usually a parent is considered personal representative for the parent’s minor child. A covered entity must treat the personal representative the same as the patient, however if the covered entity has a reasonable belief that the personal representative may be abusing or neglecting the individual, the Privacy Rule permits the covered entity to refrain from disclosing.
The person you designate in your Health Care Power of Attorney to make health care decisions for you is your personal representative for purposes of HIPAA. This and similar aspects of this issue are codified at 16 Del. C. § 2509 “Health-care information”:
“(a) Unless otherwise specified in an advance health-care directive, a person then authorized to make health-care decisions for a patient has the same rights as the patient to request, receive, examine, copy and consent to the disclosure of medical or any other health-care information.
(b) Unless otherwise specified in an advance health-care directive or court order, an agent appointed by a valid advance health-care directive under this chapter, a surrogate determined and confirmed under § 2507 of this title or a guardian of the person of a minor or adult appointed pursuant to a court order shall be authorized as a “personal representative” with full authority and standing thereof as provided in the Health Insurance Portability and Accountability Act of 1996 [P.L. 104-191], its regulations and the standards issued by the Secretary of the United States Department of Health and Social Services.”
What is a Covered Entity?
A “covered entity” under HIPAA includes actual health care providers, such as doctor’s offices, hospitals, and nursing facilities. It also includes a “health care plan,” including an individual or group plan that pays for the cost of medical care, such as health maintenance organizations (HMOs), Medicare, Medicaid, and Medicare Supplement providers. A covered entity includes a health care provider who electronically transmits health information in connection with certain transactions including claims, benefits eligibility inquiries, and referral authorization requests. These are bound by privacy standards even if they contract with others to perform some essential functions.
What Does HIPAA Require Covered Entities to Do Besides Not Disclose Without Authorization?
Covered entities must perform certain duties such as:
(1) Notifying patients about their privacy rights and how their information can be used;
(2) Adopting and implementing privacy procedures;
(3) Training employees to ensure they understand the privacy procedures;
(4) Designating an individual to be responsible for ensuring that privacy procedures are adopted and complied with; and
(5) Securing patient records.
What Information is Protected?
HIPAA protects all “individually identifiable health information” that is held or transmitted by a covered entity or those it contracts with. This includes information about: (1) the individual’s past, present or future physical or mental health condition; (2) the providing of health care to the individual; or (3) past, present or future payment for providing health care to the individual. To be protected, information must specifically identify the individual, or there must be a reasonable basis for believing that the information can be used to identify the individual.
When May a Covered Entity Disclose Protected Health Information?
A covered entity may disclose protected health information to the patient or personal representative for purposes of treatment, payment, and other health care operations.
Disclosure for purposes of public interest is permitted, but not required, such as if disclosure is required by another law (including statutes, regulations, and court orders), or to public health authorities for such purposes as preventing and controlling disease. In some instances, information regarding victims of abuse or neglect may be provided to appropriate government agencies. Disclosure may be made to funeral directors for purposes of identifying a deceased person and determining cause of death. Disclosure for law enforcement purposes is permitted.
What are the Penalties for HIPAA Noncompliance?
There is no private cause of action for a HIPAA violation, although it may be possible for individuals to pursue legal action under state laws. Under HIPAA, a covered entity is subject to civil and criminal penalties for failures to comply with HIPAA. Civil penalties may be imposed by HHS on covered entities as monetary fines for each violation. Criminal penalties including imprisonment and fines are possible if noncompliance involves intent to sell, transfer or use health information for commercial advantage, personal gain, or malicious harm.
The Privacy Rule, along with state laws, is the reason for so many of the daily practices we see in managing the health care of ourselves and our loved ones: forms at doctor’s offices, pharmacy texts and e-mails that hide identifiable information, not being permitted to ask questions of the doctor’s office staff about a loved one by telephone unless a signed HIPAA authorization and release is on file.
For these purposes we provide in all of our estate plans a HIPAA Authorization and Release for you to sign, copy and provide to any covered entity, authorizing the covered entity to disclose your private information to your designated agents. We also include provisions in the Health Care Power of Attorney specifically authorizing your agents to receive and disclose protected health information.
For helpful FAQs for Individuals, see the HHC website on HIPAA at: https://www.hhs.gov/hipaa/for-individuals/faq/index.html.