In 1996, Health Insurance Portability and Accountability Act (HIPAA) was enacted to improve availability and continuity of health insurance coverage, combat fraud and abuse in health care delivery, provide access to long term care services and simplify administration of health insurance by standardizing information exchange between healthcare organizations. This act primarily protects the privacy and security of an individual’s health information in response to the rapid grown of health insurance and information systems (Questions and Answers on HIPAA).
Transmission standards and code sets were included in HIPAA to standardize health-related information and to facilitate faster electronic data interchange (EDI) which allows exchange of information from computer to computer. The transactions and code set standards apply to patient-identifiable health information transmitted electronically. Without the need for human involvement or intervention to complete the process, the practitioner will be able to cut costs by eliminating third party clearing houses, administrators or billing services (Kibbe, 2001, p. 8).
With the standardized information exchange, availability of patient information electronically can be obtained with ease. To protect the security and confidentiality of this information, Privacy Rule was issued to implement the requirement of HIPAA. The major goal of the privacy rule is to assure that an individual’s health information is protected from unauthorized access and disclosure while still allowing the exchange of information through EDI to facilitate payments and to provide high quality health care.
Individually identifiable health information, called Protected Health Information (PHI) is any data that contains the individual’s past, present or future physical or mental health, provision of health care to the individual, and the payment of such in the past, present or future. It is the Office for Civil Rights’ (OCR) responsibility to ensure that the Privacy Rule is enforced and implemented with respect to voluntary compliance activities and civil money penalties (Office of Civil Rights, 2003).
There are some instances, however, when disclosure of PHI is needed or permitted. Covered entities (health care providers, clearing houses, etc. ) may disclose protected health information to the public health authorities when public health and safety are at risk. This happens when an individual contracted a communicable disease that raises public concern.
If an employee developed a work-related illness or injury and the employer requests for the employee’s PHI in compliance with the Occupational Safety and Health Administration (OSHA) and other similar state law, the covered entities may release information about the individual. Likewise, information for treatment procedures requiring historical information and provided for by several health care services is granted to the health service providers, including consultations and referrals between providers regarding a patient.
Protected Health Information of abused, neglected or domestic violence victims may also be disclosed to appropriate government authorities (such as reporting suspected domestic abuse to social welfare agencies) as long as the individual gives consent to disclosure, or the disclosure is authorized by law (Office of Civil Rights, 2003). The passage and implementation of HIPAA definitely improved the conditions of health care services. Uniform transmission and code sets standards paved the way for more efficient processing system, standardizing the way physicians, health insurance and health care providers handle and exchange information.
With increased efficiency, costs are decreased. As Kibbe (2001) puts it in his article, “If there’s a silver lining to the HIPAA regulations, it’s here. These standards can save your practice time and money. ” Although accessibility of information is one benefit of HIPAA, Privacy Rule protects the individuals from unauthorized disclosure of their Protected Health Information ensuring confidentiality and security of data exchanged in the process.