Impact of HIPAA
By Kenneth R. Schmidt, MSN, RN
ITH 510 – The Impact of E-Health
University of Phoenix – Online
Schmidt, K. (June, 2005). Impact of HIPAA. (OJNI). Vol. 9, No. 2 [Online]. Available at http://ojni.org/9_2/schmidt.htm
In our society today, healthcare is ever changing and evolving. “Computer-based patient records, videoconferencing, electronic mail, and telehealth are just a few of the practices that have become common in the delivery of care” (Follansbee, 2002, p.42). This paper will focus on one such change, the Health Information Portability and Accountability Act of 1996 (HIPAA) and how it may affect healthcare as we know it.
In August of 1996, Congress passed the Kennedy-Kassenbaum bill, which became Public Law 104-191, and more well-known as the Health Information Portability and Accountability Act of 1996 (HIPAA). According to Maheu et al. (2001), HIPAA “called for protections of the privacy of medical information and was designed to improve the portability and continuity of health insurance coverage through simplification by the Congress and the Department of Health and Human Services” (p.171). Richard Antognini (2002), an attorney, wrote that HIPAA was “lengthy legislation whose main goal was to enable employees to keep health insurance coverage when they changed jobs. Buried in the act, however, was a section that related to the protection of the privacy of individuals’ health information” (p.296).
This was not Congress’ first attempt to legislate medical records privacy. Previous attempts included the Individual Privacy Act (1974), the Fair Health Information Practices Act (1995), and the Medical Records Confidentiality Act (1995). Unfortunately, none of those bills were passed (Hebda et al., 2001).
Congress gave itself three years to pass legislation guaranteeing the privacy of health information. If it did not do so, the Secretary of Health and Human Services (HHS) was authorized to draft and enact regulations toaccomplish this task. Needless to say, Congress did indeed fail to enact health privacy laws by 1999, the deadline set under HIPAA (Antognini, 2002).
HIPAA is a very large and complex act, with many sections. This paper will attempt to describe those sections and inform the reader on how changes enacted due to HIPAA will affect health care in general. There is one section titled “Administrative Simplification,” which contains provisions “intended to standardize electronic transmission of health care information and reduce associated costs and administrative burdens” (Maheu et al., 2001, p. 172). According to Follansbee (2002), “The standardization of electronic data interchange, the protection of the confidentiality, and the security of health data will determine and enforce standards for the transfer of e-health information” (p. 44). The deadline for this section was October 16, 2002, but any organization that applied for an extension automatically received another year.
HIPAA also has a section regarding privacy. According to the Department of HHS’s website (www.hhs.gov/ocr/hipaa), HIPAA’s final Privacy Rule was published December 20, 2000, with the rule becoming effective April 14, 2001. Covered entities (certain health care providers, health plans, and health care clearinghouses) and their “business associates” (such as vendors) are not required to comply with the HIPAA Privacy Rule until the compliance date of April 14, 2003. Of course, they may do so voluntarily before that date, if they wish.
The HIPAA Privacy Rule was enacted to establish a “minimum standard” to which all states must conform. By definition, the minimum standard is a federal “floor” of safeguards set up to protect the confidentiality of medical information. Included is the underlying principle that health care plans follow a policy of “minimum disclosure” when using or disclosing medical information in all areas of operation (Wang, 2002). As with most rules and regulations, state or local laws that provide stricter privacy protection will continue to apply over and above this federal policy.
Noncompliance with HIPAA standards could result in severe fines. Civil penalties range from $100 (per person per violation) to a maximum of $25,000 per year. Criminal acts for obtaining and disclosing personal health information (PHI) may incur a $50,000 fine and one year in prison. When PHI is obtained under false pretenses, the penalties increase to $100,000 and five years in prison. Finally, anyone caught obtaining PHI with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm, may face penalties of $250,000 and ten years in prison (Wang, 2002).
The Privacy Rule dictates that a “security official” be appointed within the covered entity. This person is responsible for developing and implementing privacy procedures. The security official will oversee the complaint process and provide information and training to participants and employees (Wang, 2002). Maheu et al. (2001) state that the security officials “should be familiar with the technical operations of the organization. They should also be able to manage other personnel and interact with representatives of other companies, such as vendors” (the covered entities’ “business associates”) (p.173). They further state that a risk assessment should be conducted to determine the organization’s needs, related to compliance.
It is recommended that the security official do a few things in preparation for HIPAA. First, create an information security (IS) department and educate that department in depth on the details of the act. Then, use the IS staff to conduct a thorough review of the current systems and procedures. This will allow them to identify any changes, including system changes, that need to be made. After a plan is developed, all staff need to be updated on the changes that will be taking place and the reasons as to why these changes will occur) why (Hebda et al., 2001).
In addition, the security official should evaluate all security measures currently in place, especially involving computer workstations. (Several questions to be addressed) Some things to consider are what kind of data is stored on personal computers (PCs)? Is this patient or personal data? Are the workstations secure? Do they require a unique sign-on for each user or can anyone access them? Is there a system to automatically log-off a user after a certain amount of time? (For instance, what happens if there is an emergency and the user is called away from the terminal?). Is the network protected? Are their adequate firewalls in place? Lastly, how are paper printouts disposed of? Are they just thrown in the trash or are they placed in locked bins to be shredded or destroyed so that no personal information can be obtained from them?
A covered entity must remember that the primary focus of HIPAA is a patient’s right to his or her medical information. That covered entity must provide an easy to understand notice to all affected patients. This notice must explain how the patient’s personal health information can be used, and how to request, access, or amend that information (Wang, 2002).
A patient also has the right to access his or her personal health information (PHI). Upon request, a covered entity must provide an “accounting of the health information uses and disclosures for the past six years of service” (Wang, 2002, p.64). Wang further adds, “The accounting must be provided free of charge the first time in any 12-month period; a reasonable fee may be imposed afterward. The entity has thirty days to inform the person and provide access, or give a reason for denial” (p.64). Psychotherapy notes and information compiled in anticipation of a lawsuit (or administrative action) are exempted from this rule.
In conclusion, the explosion of computers and new technology has already changed the way that health care is practiced. Follansbee (2002) adds, “HIPAA will influence the direction of these practices so that the practitioner and the patient can achieve the best possible outcomes” (p.44).
Without a doubt, the public is concerned about medical privacy. A recent Gallup poll conducted by the Institute of Freedom (available at http://www.forhealthfreedom.org/Publications/Privacy/NR20000926.html) found that an overwhelming majority of Americans disapprove of third parties having access to their medical records without their consent. Seventy-eight percent of respondents in that survey were adamant that their medical records should remain confidential. It also found that eighty-two percent of the participants strongly objected to the ideal of insurance companies gaining access to their personal records without specific permission ( Institute of Freedom, 2002).
The use of technology in health care continues to grow at an unbelievable rate. Along with this technology come many opportunities and concerns. That is where HIPAA steps in to assist nursing with these issues and concerns and in the provision of confidential patient care. HIPAA compliance is a goal that requires extraordinary focus and determination, and one that will not be accomplished easily. Follansbee (2002) ends by saying, “Since the impact of HIPAA will change the way health care is practiced both now and in the future, there is a clear directive to understand issues and consequences regarding noncompliance” (p.47).
HIPAA will have an effect on nearly everyone in one way or another. It affects health care providers by making them more aware of how personal information is stored and made available. It affects institutions, such as hospitals, by levying fines if measures are not taken toward compliance of this act. Lastly, it affects any individual who has been or may be a patient in the health care arena. So, HIPAA truly affects everyone.
Antognini, R. (2002). The law of unintended consequences: HIPAA and liability insurers. Defense counsel journal, 69(3), 296. Retrieved September 13, 2002, using EBSCOhost academic search at http://www.apollolibrary.com
Department of Health and Human Services website, available at http://www.hhs.gov/ocr/hipaa
Follansbee, N. (2002). Implications of the health information portability and accountability act. Journal of nursing administration, 32(1), 42-47. Retrieved September 13, 2002, from http://www.apollolibrary.com:2235/ovidweg.cgi
Hebda, T., Czar, P., & Mascara, C. (2001). Handbook of informatics for nurses and health care professionals. Upper Saddle River, NJ: Prentice Hall.
Institute for Health Freedom (2002). Gallup survey finds Americans’ concerns about medical privacy runs deep. Retrieved September 13, 2002, from http://www.forhealthfreedom.org/Publications/Privacy/NR20000926.html
Maheu, M., Whitten, P., & Allen, A. (2001). E-health, telehealth, and telemedicine: A guide to start-up and success. New York: Jossey-Bass, Inc.
Wang, L. (2002). The privacy rule: HIPAA standards for the privacy of individually identifiable health information. Employee benefits journal, 27(3), 59-63. Retrieved September 13, 2002, using EBSCOhost academic search at http://apollolibrary.com
Kenneth R. Schmidt, MSN, RN
Mr. Schmidt earned his BSN from Wright State University in 1999. He wrote this paper as a student with the University of Phoenix and graduated from that institution in 2004 with his Master's of Science in Nursing (MSN) degree. Mr. Schmidt has since joined the nursing faculty at Sinclair Community College in Dayton, Ohio, where he teaches Nursing 222 (Respiratory & Cardiac Stressors). Mr. Schmidt is an adjunct faculty member for Wright State University and also works as a staff nurse (on an as needed basis) at Miami Valley Hospital (also in Dayton, Ohio).