What is the HIPAA Privacy Rule?
Why was the Privacy Rule issued?
Whom does the rule cover?
What information is covered?
What must health care providers do?
What new rights do patients have?
How will HIPAA affect patient care?
Can I still use patient data for research?
How does the Privacy Rule affect other laws?
Who will enforce the Privacy Rule and what are the penalties?
When does the Privacy Rule to into effect?
How will the componants of KUMC work together?
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law with multiple goals. It is best known as the law that established the right for individuals to maintain health insurance coverage when they move from job to job. Other portions of the law affect health care providers. The privacy section of HIPAA, called the Privacy Rule, imposes restrictions on the use and disclosure of patient information. It gives new rights to patients and requires health care providers to adopt safeguards that protect patient privacy.
One of the major goals of the HIPAA legislation is to improve the efficiency of health care by standardizing electronic transactions. All electronic health care billing soon will follow uniform federal standards. In order to protect those transactions, Congress required the Department of Health and Human Services to develop federal regulations that govern the privacy of health information.
The law governs "covered entities" which include health plans, health care clearinghouses, and health providers who bill for their services electronically. The law also reaches to a provider's business partners and vendors, since those partners must sign HIPAA-compliant contracts in which they agree protect the health information they handle.
The law covers Protected Health Information (PHI). HIPAA defines PHI as: individually-identifiable information, created or received by a covered entity, that relates to the past, present, or future physical or mental health condition, the delivery of health care or payment for health care. The Privacy Rule applies not only to information maintained in electronic format, but also to any identifiable patient information on paper or transmitted verbally.
Providers must inform patients about their rights through a Notice of Privacy Practices. Under HIPAA, health information may be used only for treatment, payment or health care operations unless the patient gives written permission or federal law specifically allows the use. Apart from treatment activities, providers must use only the "minimum necessary" information to accomplish the intended purpose. Clinics and hospitals must implement new levels of office security and define appropriate levels of access to patient information for employees. Organizations must establish "business associate agreements" with vendors who handle their patient information, in order to ensure that those agents comply with the law. Policies and procedures must be established, and a "privacy official" must be appointed to ensure the organization's compliance. And finally, the regulations require that each member of our workforce receives special training about privacy protections.
Beginning April 14, 2003 patients have the following rights:
HIPAA was written to minimize disruption in direct patient care. There are no restrictions on exchanging information to accomplish treatment. Providers can continue to disclose patient information related to referrals and consultations. Students and trainees are allowed to have access to all information that is appropriate to their participation in patient care. If providers believe that HIPAA implementation is hampering patient care, they are encouraged to consult with their institution's privacy official.
HIPAA will affect the way researchers access patient data. If informed consent is being sought from the research subject, the subject must be informed of the planned uses and disclosures of their information through a privacy section in the consent form. The new rules also affect the process of research recruitment. Different requirements exist for projects that do not involve informed consent, such as retrospective chart reviews. When informed consent is not required, the researcher must meet certain standards for protecting the privacy of the data, depending on the source of the research data and the nature of identifiers that are associated with the medical information being collected. Please refer to the Research section of this website for detailed information.
As a general rule, federal law supercedes state laws. However, the HIPAA Privacy Rule does not preempt state laws that offer stronger protections for patient privacy. Additionally, the Privacy Rule leaves intact any state law that relates to reporting of disease or injury, child abuse, birth, or death, or public health activities and investigations. State laws about the treatment of minors also will prevail.
The Privacy Rule is administered by the DHHS Office of Civil Rights. These penalties include:
Persons who violate HIPAA are also liable for prosecution under state privacy laws.
The Privacy Rule goes into effect on April 14, 2003.
Under the HIPAA law, affiliated organizations can create a joint compliance program. The University of Kansas Medical Center, the University of Kansas Hospital Authority, KU Physicians, Inc., and KU HealthPartners have formed an "organized health care arrangement" whereby we can deliver a joint privacy notice and share patient information for joint activities in treatment, payment, and health care operations. The four partners of KU Medical Center also coordinate efforts in order to share resources and harmonize procedures. HIPAA contacts are:
Karen Blackwell, University of Kansas Medical Center
kblackwe@kumc.edu - 913.588.0942
Don Branson, KU Physicians, Inc.
dbranson@kumc.edu - 913.588.2512
Julie Roth, KU HealthPartners, Inc.
jroth@kumc.edu - 913.588.2729
Bob Spaniol, KU Hospital Authority
bspaniol@kumc.edu - 913.588.7632
©
The University of Kansas Medical Center