Does HIPAA Protect My Health Information?

It requires Massachusetts providers have compliance procedures in place

A major reason for the 1996 enactment of the Health Insurance Portability and Accountability Act (HIPAA) was to protect Americans’ private health information from being used or disclosed improperly. Part of federal HIPAA law is something called the Privacy Rule, the purpose of which is to define and limit the circumstances in which an individual’s protected health information may be used or disclosed by health providers and health plans.

What is protected health information?

All individually identifiable health information held by a health care provider or plan is protected health information. This includes any information that identifies an individual, or for which there is a reasonable basis to believe it can be used to identify an individual. This information includes demographic information related to:

  • The individual’s past, present or future physical or mental health condition
  • Providing health care services to the individual
  • Past, present or future payment for the provision of health care to the individual

Individually identifiable health information includes many common identifiers, such as: name, address, birth date and social security number. There are no restrictions on the use or disclosure of health information that has been de-identified. To de-identify health information, individually identifiable information must be removed until it is not possible to identify the individual.

What uses and disclosures of protected health information are permitted?

Health plans and providers can use or disclose an individual’s protected health information in two situations:

  • When authorized in writing by the individual (or the individual’s agent or parent)
  • As permitted by the Privacy Rule

Under the Privacy Rule, health plans and health providers are permitted to use and disclose protected health information, without the individual’s written authorization, only in the following situations:

  • In communication with the individual
  • Treatment, payment and health care operations
  • Uses or disclosure where there is an opportunity for the individual to agree or object to the disclosure. For example, notifying relatives of health condition
  • Incident to a permitted use if information was limited to minimum necessary
  • Public interest and benefit activities, typically required by law
  • Limited data set, meaning direct identifiers of the individual—and their relatives—have been removed for the purposes of research, public health or health care operations

If a health plan or provider wants to use or disclose an individual’s protected health information for any other use, it must obtain the individual’s written authorization. A plan or provider cannot condition treatment on obtaining authorization. Authorizations must be in plain language, and include specific information about the information to be disclosed. It must also describe when it expires, and provide a right to revoke the authorization in writing.

Obligations for providers and plans

When using or disclosing protected health information, providers and plans must limit their use to only the minimum necessary. This means a provider or plan must make reasonable efforts to use, disclose, and request only the minimum amount of protected health information needed to accomplish the intended purpose. Providers and plans must develop and implement policies and procedures to reasonably limit uses and disclosures to the minimum necessary.

Entities must provide patients with notice of their privacy practices—which is typically provided at, or prior to, the first visit. Entities must make a good faith effort to obtain a written acknowledgement from the patient of the notice of privacy practices.

The notice must also make the patient aware that any violations of use or disclosure of their protected health information can be reported to the U.S. Department of Health and Human Services (HHS). HHS can levy fines and penalties on entities which violate the law. If you believe an entity has not protected your health information, you should reach out to an experienced Massachusetts health care attorney.

Page Generated: 0.10265278816223 sec