9/17/2023 0 Comments Hipaa breach policyFor example, because HIPAA applies only to covered entities as defined in the statute, many of the new entities that store and/or manage PHI electronically have not been covered by the Privacy Rule. These gaps have been amplified with the increased use of health information technology, which promises not only the possibility of comprehensive health records that can move with individuals over a lifetime, but also more efficient gathering of data that could lead to improved population health. 15Īlthough establishment of HIPAA's privacy provisions was a watershed in federal health information privacy law, gaps in the Privacy Rule's protections existed. 12 The Privacy Rule, therefore, allows public health authorities to engage in the full range of activities authorized by state law, assuming successful collection of necessary data from covered entities (as either PHI or in less identifiable forms 13, 14 allowed by the regulations). That is, HIPAA permits, but does not require, covered entities to disclose PHI without authorization to public health authorities for activities including, among others, reporting surveillance, investigations, and interventions and notifying people at risk of communicable disease. Public health operations have been largely exempted from HIPAA's restrictions. 10 Written “authorizations” by patients are required for uses and disclosures of PHI that are not otherwise permitted or required as a result, many disclosures, including those related to treatment, payment, and health care operations, require no authorization. 9 For example, covered entities are permitted to access, use, and disclose PHI for the purposes of treatment, payment, and health care operations. 8 All other disclosures, including those that may be required by other federal or state laws (e.g., public health reporting statutes), are considered “permitted,” or allowed by the Privacy Rule. Only two types of disclosures are required: when a patient requests his/her own PHI and when the Secretary of HHS requests PHI for audit or other enforcement purposes. 7 Under the Privacy Rule, covered entities may not use or disclose PHI except as permitted or required. PHI is “individually identifiable health information” that is held or transmitted by a covered entity in any form, paper or electronic. The HIPAA Privacy Rule regulates the use and disclosure of protected health information (PHI) by “covered entities,” defined as health plans, health care clearinghouses, and health care providers who transmit health information in electronic form. 3 Following years of negotiations, federal regulations implementing HIPAA's privacy provisions were issued in 2000, 4 revised in 2002, 5 and became effective for most entities in 2003. Pursuant to the law, Congress gave itself two years to enact federal privacy protections, but in the end tasked HHS with the job of promulgating privacy and security regulations. After a brief description of the history and structure of HIPAA, we highlight key provisions of the recently released final rules and explore their implications for public health policy and practice.Įnsuring the privacy and confidentiality of health information has always been a critical aspect of health care, but until the enactment of HIPAA, no comprehensive piece of federal legislation protected health information privacy. This installment of Law and the Public's Health explores the evolution of HIPAA's privacy protections. Department of Health and Human Services (HHS) has issued an Omnibus Rule that reflects movement to strengthen individual rights while continuing to facilitate the other competing interests, including those of public health, in greater access to health information. 1įour years after the enactment of major HIPAA reforms in the Health Information Technology for Economic and Clinical Health (HITECH) Act, 2 the U.S. These influences combined to produce a convoluted and leaky regulatory system that, paradoxically perhaps, has been criticized since its inception as both burdensome to providers and inadequate to assure health information privacy and security for individual patients. It has now been more than a decade since the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule became effective, following years of conflicts that pitted multiple interests against one another: individual privacy rights, access to personal health information in public health and research endeavors, the economic interests of the health-care sector, and an expanding government role in health care.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |