The Federal Law HIPAA (Health Insurance Portability and Accountability Act) provides individuals the right to keep their health information private. Insurers and healthcare providers must follow HIPAA strictures and maintain confidentiality of clients’ medical records.
What PHI (Protected Healthcare Information) Comprises
- The information contained in the medical charts of an individual that is highly sensitive. HIPAA requires that it is protected from unauthorized access, use and sharing.
- The healthcare data of an individual that is stored in his/her insurer’s data systems.
- Conversations an individual may have had with his/her physician or other healthcare professionals regarding any aspect of treatment and care.
- The individual’s billing information.
- Any other healthcare information that is retained by entities that must comply with HIPAA.
Entities that are Required to Observe HIPAA Compliance
- Hospitals, medical clinics, physicians, nurses, pharmacies, nursing homes and other healthcare providers.
- Health insurance companies, independent physician associations, provider networks, HMOs (Health Maintenance Organizations) and so on.
- State/federal government programs such as Medicare, Medicaid and others that pay for an individual’s health care.
PHI can be used and shared without the concerned person’s consent for the following purposes.
- When such information is required to be disclosed for the individual’s treatment and care
- To friends and family members the person identifies as being involved in his/her healthcare or healthcare bills.
- To make payment to healthcare providers who provided care and treatment.
- To ensure that the individual is provided quality care in a clean and safe environment in nursing homes.
- To report flu and virus incidents in the locality and thereby protect public health.
- When it is required to make public safety reports (e.g. gunshot wounds).
HHS Office for Civil Rights (OCR)’s Final Rule and its Impact
The Final Rule addresses the privacy and security rules related to PHI, enforcement rules, breach notification rules, and genetic privacy provisions of the GINA (Genetic Information Nondiscrimination Act) that apply to PHI maintained by various health plans. This Final Rule may impact attorneys with elder law practices. Clients in such practices are likely to have mostly health issues and would want to know how their healthcare data is protected. Practitioners must understand how HIPAA as amended by the Final Rule restricts the use and disclosure of PHI, protections it demands for electronic PHI and the types of entities it governs. Attorneys may also need to obtain copies of medical records of their clients so as to provide good counseling.
Attorneys representing healthcare providers or other covered entities, and who must obtain access to PHI will be considered “business associates” under HIPAA now. With the introduction of the Final Rule, attorneys who are business associates will be directly regulated by and are liable under HIPAA.