September 6, 2005 Feature

HIPAA: Impact on Clinical Practice

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that standardizes the electronic exchange of administrative and financial data related to health care (HIPAA, 1996). To achieve its primary purpose-administrative simplification of electronic health care transactions-Congress authorized the U.S. Department of Health and Human Services (DHHS) to write standards to protect the privacy of individually identifiable health information, so-called protected health information (PHI).

The standards are found in the U.S. Code of Federal Regulations (CFR) and collectively are called the Standards for Privacy of Individually Identifiable Health Information-in short, the "Privacy Rule." DHHS explained that whereas "[p]rivacy is a fundamental right…[i]ndividuals' right to privacy in information about themselves is not absolute" (Federal Register, 2000, p. 82464). As a result, HIPAA's Privacy Rule balances patients' desire for medical privacy with the legitimate needs of health care providers, employers, researchers, public health officials, and law enforcement officials.

The purpose of this article is to aid clinicians by answering questions about the Privacy Rule requirements and describing when clinicians should obtain authorizations and/or maintain an accounting of disclosures. Clinicians should receive HIPAA education from their employers, and should consult with their institution's Privacy Officer if they have specific questions.

Basic Concepts

To understand the law as it applies to communication among health care providers, it is important to understand how HIPAA defines "covered entity," "health care provider," and "health care."

First, HIPAA applies only to "covered entities." With few exceptions, you are a covered entity if you are (or are employed by) a health plan, a health care clearinghouse, or a health care provider that transmits any health information electronically. Second, you are a "health care provider" if you provide health services, or you are "any other person or organization who furnishes, bills, or is paid for health care in the normal course of business." Third, "health care" means "care, services, or supplies related to the health of an individual" and includes "preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body" (45 CFR 160.103).

In short, if you are (or are employed by) a covered entity, HIPAA's Privacy Rule applies to you.

Protected Health Information

The Privacy Rule is intended to prevent covered health care providers from using or disclosing health information without patients' authorization or other legal authority. Under HIPAA's Privacy Rule, individually identifiable health information is PHI that is transmitted or maintained in any form or medium. Individually identifiable health information is PHI whether you create it or receive it (45 CFR 164.501). PHI is information about an individual, including demographic information, that relates to the individual's past, present, or future health or condition, the care provided, or the payment history of the individual (45 CFR 160.103).

Individual identifiers are: names; geographic identifiers smaller than a state (e.g., street address, city, zip code); dates related to an individual (e.g., birth date, admission date); telephone numbers; FAX numbers; e-mail addresses; social security numbers; medical record numbers; health plan beneficiary numbers; account numbers; certificate/license numbers; vehicle identifiers, serial numbers, license plates; device identifiers and serial numbers; Web universal resource locators (URLs); Internet protocol (IP) address numbers; biometric identifiers, including fingerprints and voiceprints; full-face photographic images; or any other unique identifying number, characteristic, or code (45 CFR 164.514[b][2]).

HIPAA is a federal law that applies to both private and public "covered entities." HIPAA supersedes state law governing privacy of individually identifiable health information (45 CFR 160.203), with the following exception: if state law is more stringent than HIPAA, then practitioners must observe the more stringent state law standard, in addition to the HIPAA rules (45 CFR 160.203[b]).

The Minimum Necessary Standard

The law stipulates that communications should adhere to the "minimum necessary" standard. This means simply that communication by you about a patient-either within your employment setting or with outside consultants-should be "the minimum necessary to accomplish the intended purpose of the use, disclosure, or request" (45 CFR 164.502[b][1]).

The minimum necessary requirement does not apply to all uses/disclosures of PHI. For example, it is permissible to use or disclose PHI if the use or disclosure is: for treatment, payment, and health care operations purposes; made to the individual patient; done with the patient's authorization; made to DHHS; required by law; or required for compliance purposes (45 CFR 164.502[b][1], 164.502[a][2][1], 164.508, 164.512[a]). The sidebar above addresses typical questions that arise in clinical practice.

Even though the minimum necessary rule does not apply if the use or disclosure of PHI pertains to treatment payment and health care operations, when in doubt, follow the minimum necessary rule. Lastly, if all identifiers are removed, the information no longer qualifies as PHI and therefore, PHI restrictions do not apply (45 CFR 164.514[a]).

Notice and Permitted Disclosures

The Privacy Rule requires that all patients receive a standard Notice of Privacy Practices that must include "the types and uses and disclosures that the covered entity is permitted…to make for each of the following purposes: treatment, payment, and health care operations" (45 CFR 164.520[b][1][ii][A]). Importantly, as a health care provider, you are explicitly permitted to use or disclose PHI for "treatment, payment, or health care operations" (45 CFR 164.502[a][1]). When the use or disclosure is for treatment, the health care provider may, but is not required, to obtain consent (authorization) for each disclosure (45 CFR 164.506[b][1]).

Authorizations for Disclosures Outside a Covered Entity

When PHI is disclosed (released) to organizations outside of a "covered entity," health care providers must adhere to the Privacy Rule's requirements regarding authorizations, disclosures, and accounting for disclosures. As a covered entity, a health care provider need not obtain patients' authorization for disclosures of PHI for treatment purposes, or when disclosures are authorized by law for public health or law enforcement purposes. However, an accounting of such disclosures may be required, depending on the situation.

An authorization, a disclosure, and an accounting for disclosures are interrelated in the Privacy Rule, and the Privacy Rule specifies different requirements for each of these functions in different situations. In other words, if you release or disclose PHI-orally or in writing-to someone outside your covered entity, you may need to obtain authorization, and account for these disclosures-depending on what you disclose, to whom, and why. The Table (see Authorizations and Accounting for Disclosures [PDF format]) outlines common types of disclosures to illustrate when patient authorization (consent) is required, and whether the covered entity must account for the disclosure.

Summary

At first glance, HIPAA appears to be a complicated and daunting set of rules for both clinicians and researchers.

Understanding HIPAA requires an appreciation of Congress's intent, namely, to streamline the administration of health care in the age of electronic technology, while protecting patients' legitimate privacy interests.

Jennifer Horner, has degrees in speech-language pathology and law, and is an associate professor and director, Communication Sciences and Disorders, and chair, Department of Rehabilitation Sciences, in the College of Health Professions, Medical University of South Carolina. Contact her at hornerj@musc.edu.

Michael Wheeler, is the privacy officer of the Medical University of South Carolina. Contact him at wheelerm@musc.edu.

cite as: Horner, J.  & Wheeler, M. (2005, September 06). HIPAA: Impact on Clinical Practice. The ASHA Leader.

HIPAA: Practical Tips

Q: Must a health care provider (clinician) obtain written consent for treatment?

All patients should receive a Notice of Privacy Practices. After that, disclosures for the purpose of treatment do not require a written consent.

Q: When referring a patient from one's own facility to a community provider, may the  clinician call or write a letter to the receiving  facility?

Yes. If the correspondence between health care providers is for the purpose of treatment, the two providers may correspond by phone, letter, or FAX without fear of violating HIPAA (including sharing identifying information). If the correspondence is by FAX, the sender should take special precautions by alerting the recipient that the FAX is about to be sent and verify the FAX was received.

Q: Is it permissible to e-mail a diagnostic report for treatment or consultation?

Correspondence by e-mail is permitted, but  special security rules apply. Under HIPAA's Security Standards (effective in April 2005), the covered entity is required to maintain the integrity and security of its electronic media (164.314[e]). Furthermore, if the Internet or dial-up lines are used, HIPAA encourages (but does not require) entities to use encryption. Finally, to further guard against unauthorized access to PHI transmitted by e-mail, do not type the patient's name in the "subject line," because this might allow someone to trace the e-mail. Unless encryption is used, the best practice is to remove all individual  identifiers from the e-mail.

Q: May a clinician consult with an expert about a patient's care?

Consultation is permitted, but it is important to observe the "minimum necessary" rule. The level of precaution you take should be proportionate to the degree of perceived risk either that you will violate the terms of the Notice of Privacy Practices that the patient has agreed to, or that a third party might use or disclose the PHI inappropriately.

Q: Does HIPAA permit a clinician to photograph or videotape a patient for teaching purposes?

The "health care operations" provision of HIPAA includes "training and teaching." However, photos and videotapes should be de-identified (164.514[b][2][Q]) or consent obtained from the patient or patient's  representative. State law, JCAHO and/or institutional policy should be followed without exception when the clinician intends to use photographs or videotapes for diagnostic, treatment, quality assurance, educational, or marketing purposes-normally, respect for the patient will require explicit and specific consent for any of these purposes.

Q: Do clinicians need an authorization (consent) from a patient to disclose PHI for treatment, payment, or health care operations, and should the clinician list this disclosure on the  covered entity's accounting of disclosures?

Neither a written consent nor an accounting are required when a health provider discloses PHI for treatment, payment, or health care operations (see Table for details).

Q: Do clinicians need an authorization (consent) from a patient to disclose PHI when reporting vital statistics as authorized by law?

Clinicians are not required to obtain consent for public health or related purposes (e.g., mandatory reporting of vital statistics, national security, or suspected abuse), but the covered entity is required to document this disclosure of information on the covered entity's accounting for disclosures (45 CFR 164.508; 45 CFR 164.528; see Table on page 23 for details).

(Reprinted with permission. Portions of this sidebar were originally prepared for:
Horner, J. & Wheeler, M. [2003, Fall]. HIPAA and Protected Health Information (PHI). Academy of Neurologic Communication Disorders and Sciences Newsletter, I[2], 10-11).



Medicare Requires HIPAA-Compliant Billing

Audiologists and speech-language pathologists who file their claims electronically are reminded that as of Oct. 1, 2005, CMS will no longer process electronic Medicare claims that do not comply with HIPAA. Claims that do not meet standards required by HIPAA will be returned to the filer for re-submission. CMS reports that, "the high percentage [of compliance] among all provider types and sizes shows that everyone can become compliant." The HIPAA-compliant claims allow the same software to be used to generate identical claims for all payers using standard formats and coding. The use of all the HIPAA transactions will allow interoperability among payers and providers for health care administration. CMS continues to make available free or low-cost software through Medicare carriers and intermediaries. For further information, contact Ingrida Lusis, director of health care regulatory advocacy, at ilusis@asha.org or 800-498-2071, ext. 4387.

References

Health Insurance Portability and Accountability Act of 1996 (HIPAA). Public Law 104-191, 110 Stat. 1936 (Aug. 21, 1996). Available at http://www.hhs.gov/ocr/hipaa/

U.S. Department of Health & Human Services. (2003, April 14). Privacy rule: Standards for privacy of individually identifiable health information. 45 Code of Federal Regulations, Parts 160 and 164. Available at http://www.hhs.gov/ocr/hipaa [cited as CFR].

U.S. Department of Health & Human Services. (2000). Standards for privacy of individually identifiable health information (final rule). Federal Register, 65(250), 82461-82829. Available at http://www.gpoaccess.gov/index.html.



  

Advertise With UsAdvertisement