How Do HIPAA Risks Relate to Disclosure?


The Health Insurance Portability and Accountability Act of 1996 was a United States Federal legislation enacted by shekels administration and signed into law by president Bill Clinton on August 21, 1996. The main purpose of the act is to protect patient records and personal health information. Among its many provisions, this Act also establishes the National Health Information Center (NHIOC), a central repository for patient records.

For those not familiar with the title, the HIPAA refers to Health Insurance Portability and Accountability Act of 1996 which established the National Health Information Center as well as the HIPAA certification process. The two-track system set up by the accountable entities includes the first level of implementation which is enrollment; and the second level is maintenance. The provision establishing the National Health Information Center included a number of technical difficulties in implementation, including a lack of understandable terminology and a cumbersome application process. Therefore, many people did not apply for HIPAA insurance and many health insurance companies never subscribed to it.

In recent years, though, more people have become concerned about their privacy and the privacy of their information. As a result, the government has been involved in more issues surrounding the handling of personal and confidential information. Consequently, the health insurance portability and Accountability Act has been made stronger to address these concerns. In addition to its strong statutory framework, the act also includes a number of important improvements that make it more useful for individual health care consumers and employers. For example, the final version of the act contains several important features:

One of the main goals of HIPAA is to establish improved electronic security standards across the healthcare industry. With the passing of time, it is important to revise our aging electronic storage methods to ensure that confidential patient information does not fall into the wrong hands. The Security Rule issued by HIPAA is meant to strengthen the security measures of electronic health information and to encourage organizations to upgrade their systems. The Federal Trade Commission also has released several rules that were designed to strengthen HIPAA’s privacy and confidentiality commitments. These rules are available online.

Another important feature of the HIPAA regulations is the risk analysis process. This includes provisions that address the selection of protected parties for HIPAA compliance. Furthermore, the regulations require that the organizations conduct risk analysis before any personal information transfers take place. Also, the risk analysis process requires the use of technical controls and protection measures. The safeguards in the HIPAA regulations include the following:

According to the revised HIPAA Privacy Rule, healthcare entities are required to disclose their privacy commitments to customers. However, the rule does not state who must disclose the information. For example, it may state that a healthcare entity has to disclose the fact that they are implementing HIPAA if customers ask for it. Similarly, it may state that a hospital is required to disclose any technological developments it makes available to the public as part of its HIPAA compliance initiatives, if customers ask for it.

The final paragraph of the Privacy Rule on disclosure of technological developments applies to e-phi, as well. The rule states, “A covered entity that uses or sells electronic health records shall disclose to customers any technological developments that it makes available to the public.” Therefore, according to the revised HIPAA regulations, e-phi companies are bound by a higher level of security to ensure customer confidentiality. As well, according to the revised HIPAA Security Rule, “a covered entity that discloses or provides access to electronic health information that enables a third person to identify a protected individual should have reasonable security measures in place to protect such identification.” Finally, according to the Security Rule, protected individuals who visit health information technology websites must be provided with a Notice of Privacy Practices statement that clearly states that the HIPAA will be used to protect their privacy.

As discussed earlier, the revised HIPAA Security Rule allows a covered entity to satisfy its obligations to customers through a breach notification rule. Although this rule was added to HIPAA in response to concerns about potential security breaches, many physicians and health care providers still do not believe that it goes far enough. According to these professionals, hospitals and other covered entities need to be required to first take measures to ensure that they comply with the revised privacy rules before they can legally notify a customer that his or her information has been compromised. Accordingly, many physicians and organizations are challenging the U.S. Department of Health and Human Services (HHS) in court over this requirement. According to these groups, the failure of the healthcare agency to satisfy the legal requirements before discharging consumer health information gives it a very weak argument in court. Because it is not clear what is required in this regard, the challenge is being pushed on the state and local level, where a breach notification rule typically requires that the patient or recipient of a breach notice understand the risk, give notice and consent to the disclosure, or else face criminal prosecution.