HIPAA at KUMC

Frequently Asked Questions about the HIPAA Privacy Rule

What is the HIPAA Privacy Rule?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law with multiple goals. It is best known as the law that established the right for individuals to maintain health insurance coverage when they move from job to job. Other portions of the law affect health care providers. The privacy section of HIPAA, called the Privacy Rule, imposes restrictions on the use and disclosure of patient information. It gives new rights to patients and requires health care providers to adopt safeguards that protect patient privacy.

Why was the Privacy Rule issued?

One of the major goals of the HIPAA legislation is to improve the efficiency of health care by standardizing electronic transactions. All electronic health care billing soon will follow uniform federal standards. In order to protect those transactions, Congress required the Department of Health and Human Services to develop federal regulations that govern the privacy of health information.

Whom does the Rule cover?

The law governs "covered entities" which include health plans, health care clearinghouses, and health providers who bill for their services electronically. The law also reaches to a provider's business partners and vendors, since those partners must sign HIPAA-compliant contracts in which they agree protect the health information they handle.

What information is covered?

The law covers Protected Health Information (PHI). HIPAA defines PHI as: individually-identifiable information, created or received by a covered entity, that relates to the past, present, or future physical or mental health condition, the delivery of health care or payment for health care. The Privacy Rule applies not only to information maintained in electronic format, but also to any identifiable patient information on paper or transmitted verbally.

What must health care providers do?

Providers must inform patients about their rights through a Notice of Privacy Practices. Under HIPAA, health information may be used only for treatment, payment or health care operations unless the patient gives written permission or federal law specifically allows the use. Apart from treatment activities, providers must use only the "minimum necessary" information to accomplish the intended purpose. Clinics and hospitals must implement new levels of office security and define appropriate levels of access to patient information for employees. Organizations must establish "business associate agreements" with vendors who handle their patient information, in order to ensure that those agents comply with the law. Policies and procedures must be established, and a "privacy official" must be appointed to ensure the organization's compliance. And finally, the regulations require that each member of our workforce receives special training about privacy protections.

What new rights do patients have?

Beginning April 14, 2003 patients have the following rights:

  • Right to receive a written Notice of Privacy Practices that describes how the institution will use patient information
  • Right to access and copy one's own medical record
  • Right to amend the record, where appropriate
  • Right to request special accommodations for communicating health information in a confidential manner
  • Right to request restrictions on the uses and disclosures of health information
  • Right to obtain an a list of all non-routine disclosures
  • Right to complain about privacy violations to the institution and to the Department of Health and Human Services

How will HIPAA affect patient care?

HIPAA was written to minimize disruption in direct patient care. There are no restrictions on exchanging information to accomplish treatment. Providers can continue to disclose patient information related to referrals and consultations. Students and trainees are allowed to have access to all information that is appropriate to their participation in patient care. If providers believe that HIPAA implementation is hampering patient care, they are encouraged to consult with their institution's privacy official.

Can I still use patient data for research?

HIPAA will affect the way researchers access patient data. If informed consent is being sought from the research subject, the subject must be informed of the planned uses and disclosures of their information through a privacy section in the consent form. The new rules also affect the process of research recruitment. Different requirements exist for projects that do not involve informed consent, such as retrospective chart reviews. When informed consent is not required, the researcher must meet certain standards for protecting the privacy of the data, depending on the source of the research data and the nature of identifiers that are associated with the medical information being collected. Please refer to the Research section of this website for detailed information.

How does the Privacy Rule affect other laws?

As a general rule, federal law supercedes state laws. However, the HIPAA Privacy Rule does not preempt state laws that offer stronger protections for patient privacy. Additionally, the Privacy Rule leaves intact any state law that relates to reporting of disease or injury, child abuse, birth, or death, or public health activities and investigations. State laws about the treatment of minors also will prevail.

Who will enforce the Privacy Rule and what are the penalties?

The Privacy Rule is administered by the DHHS Office of Civil Rights. These penalties include:

  • Fines of $100 for each accidental violation
  • Fines up to $250,000 and federal prison sentences of up to 10 years for selling PHI or using it to harm someone.

Persons who violate HIPAA are also liable for prosecution under state privacy laws.

When does the Privacy Rule go into effect?

The Privacy Rule goes into effect on April 14, 2003.

How will the components of KUMC work together?

Under the HIPAA law, affiliated organizations can create a joint compliance program. The University of Kansas Medical Center, the University of Kansas Hospital Authority, KU Physicians, Inc., and KU HealthPartners have formed an "organized health care arrangement" whereby we can deliver a joint privacy notice and share patient information for joint activities in treatment, payment, and health care operations. The four partners of KU Medical Center also coordinate efforts in order to share resources and harmonize procedures. HIPAA contacts are:

Karen Blackwell, University of Kansas Medical Center
kblackwe@kumc.edu - 913.588.0942

Don Branson, KU Physicians, Inc.
dbranson@kumc.edu - 913.588.2512

Julie Roth, KU HealthPartners, Inc.
jroth@kumc.edu - 913.588.2729

Bob Spaniol, KU Hospital Authority
bspaniol@kumc.edu - 913.588.7632

Last modified: Apr 21, 2014
ID=x10177