The Administrative Simplification provisions under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) require covered entities (i.e. group health plans, health care providers, and health care clearinghouses) to adopt privacy standards for health information. The privacy regulations became applicable for group health plans with $5 million in receipts or more on April 14, 2003 (April 14, 2004 for smaller group health plans).
What is a Health Plan?
HIPAA defines a health plan as an individual or group plan that provides or pays the cost of medical care, including health, dental, vision, and prescription drug insurers, HMOs, Medicare, Medicaid and long term care insurers. Also included are employer-sponsored group health plans with 50 or more participants, government and church-sponsored health plans, and multi-employer health plans.
What Information is Protected?
The Privacy Rule requires health plans to protect all individually identifiable health information, known as protected health information (PHI). PHI includes demographic data that relates to the individual´s past, present, or future physical or mental health condition; the provision of health care to the individual; or the past, present, or future payment for the provision of health care to the individual; and that identifies the individual or provides a reasonable basis to believe the individual can be identified based on the information (e.g., Social Security Number, name).
Use and Disclosure for PHI
The Privacy Rule requires health plans to limit the circumstances under which an individual´s PHI may be used or disclosed. Generally, health plans are permitted to use/disclose PHI without an individual´s authorization for only the following:
- To the individual who is the subject of the PHI;
-
- Treatment, payment, and health care operations;
-
- Opportunity to agree or object where informal permission may be asked;
-
- Incidental use and disclosure;
-
- Public interest and benefit activities; and
-
- Limited data set for the purposes for research, public health or health operations.
-
Obtain Authorization
Health plans must obtain the individual´s written authorization for any use or disclosure of PHI that is not for treatment, payment, health care operations or any of the other permitted uses noted above. With few exceptions, health plans may not condition treatment, payment, enrollment or benefits eligibility on an individual´s authorization.
Minimum Necessary
The Privacy Rules requires health plans to use, disclose and request only the minimal PHI needed to accomplish a task. A health plan may not request every health care claim processed for an individual unless it can justify that every claim is needed for the duty at hand.
Notice of Privacy Practices
A notice of the health plan´s privacy practices is required under HIPAA. Specifically, this notice must describe:
- the ways in which the health plan may use and disclose PHI;
-
- the health plan´s duty to protect privacy;
-
- provide a notice of privacy practices;
-
- statement regarding how the health plan will comply with the terms of the notice in place;
-
- describe an individuals´ rights;
-
- a point of contact for requesting further information; and
-
- a point of contact and process for making complaints.
-
The Privacy Practices Notice must have been distributed to every enrollee (i.e. named insured) by April 14, 2003. Afterward, the health plan must provide a notice to each new named insured at enrollment, and send a reminder to each named insured at least once every three years that the notice is available upon request.
Access, Amendment and Disclosure
Generally, an individual has the right to review and obtain a copy of his/her PHI held in the health plan´s records. Should an individual find his/her information is inaccurate or incomplete, he/she has the right to request amendment of this information. The Privacy Rules outline specific processes for requesting and responding to a request for amendment. Additionally, individuals have the right to an accounting of the health plan´s disclosures of their PHI for a maximum period of six years.
Restricted Use and Confidentiality
Individuals have the right to request restricted usage of PHI for certain purposes only (e.g., treatment). In addition, health plans must permit individuals to request an alternative location for receiving PHI communications (e.g., a different address), particularly if such request is made when normal disclosure could endanger the individual.
Administrative Requirements
In order for health plans to comply with the above privacy provisions, they should take at least the following steps to ensure internal compliance:
- Adopt identical standards for the health plan´s business associates as is applied internally;
-
- Develop privacy policies/procedures;
-
- Designate a privacy official;
-
- Train applicable employees;
-
- Mitigate harmful effects of PHI disclosed in violation of policy;
-
- Maintain reasonable safeguards to prevent violations of PHI use/disclosure;
-
- Develop a complaint process;
-
- Establish no-retaliation policies for complaints; and
-
- Document the use/disclosure of PHI for at least six years.
-
