HIPAA

Posted on February 18, 2018 by johnss7

 

Definition of the Term and Background

            HIPAA, which stands for Health Insurance Portability and Accountability Act, was enacted in order to improve the United States healthcare system and the way it handles patient information. This act was created with both the professional and individual in mind; it protects the individuals’ rights concerning the privacy of their medical records, and creates obligations and responsibilities for professionals regarding handling of patient information (United States). It was initially introduced as the Kennedy-Kassebaum Bill in 1993, named after Senators Edward M. Kennedy and Nancy Kassebaum; it was signed in to effect by President Bill Clinton in 1996 and was considered a bipartisan effort (Starr).

It restricts the flow of patients’ health records amongst healthcare professionals and insurance companies. Currently, there are five titles in HIPAA:

  1. Health Insurance Reform: The protection of health insurance coverage as workers transition between jobs. This title also protects the worker’s family’s benefits.
  2. Administrative Simplification: This protection of health data through standards set for electronic healthcare information exchanges.
  3. Tax Related Health Provisions: Modifies laws regarding health insurance and medical deductions.
  4. Application and Enforcement of Group Health Plan Requirements: Details conditions for group health plans and continuation of coverage.
  5. Revenue Offsets: Provisions for those in special groups (“HIPAA Title Information”).

For the individual, this act has a plethora of benefits, with most of them in regards to protecting patient privacy; patient privacy denotes the regulation of health care providers and insurance companies having the discretion to share, view, and receive patient information. Because of this act, patients have more control over their health records, including who can view their information and where it can be released. Patients have the ability to request a copy of their information whenever they wish and an institution has to comply (United States). If an institution does not comply in a timely manner, as was the case when a complainant alleged that The Mental Health Center did not provider her with a timely disposal of her records, and Office for Civil Rights investigation must be conducted (“HIPAA Case Examples”). Moreover, if anything is wrong with a patient’s information, they have the ability to change what they believe to be an error in their record. If a hospital disagrees and says that the information is actually correct, the patient has a right to have the discrepancy noted in their records. Lastly, patients have the right to know how their information is being used and shared by health professionals and insurance companies. By law, health information can be shared for learning purposes among professionals, health statistics, and for other federally mandated purposes including but not limited to: reporting when a virus is rampant in an area, reporting to the police, or providing information to those who pay bills for another person. But again, individuals always have the right to know where their information is sent and who is viewing it (United States). Even when information is federally mandated, procedures still have to be taken to protect patient information to the utmost degree; an example related to a breach of this sort was when a hospital incorrectly gave out too much protected health information in response to a subpoena because they had not contacted the patient first (“HIPAA Case Examples”).

On the other side, HIPAA also has rules that regulate all health care providers, insurance companies, and government agencies that pay for health care. It requires them to ensure the safety of patient information and records and requires them to be accountable for the release of patient information and its usage. For example, once a health care provider breached HIPAA by accidentally sending a patients medical information to his/her place of work instead of insurance company; measures were taken to “revise the office’s fax cover page to underscore a confidential communication for the intended recipient” and employees were counseled for proper procedures in the future (“HIPAA Case Examples”). For health care providers and professionals, HIPAA mainly exists to attempt to clarify the line between balancing public interest and personal privacy. The privacy rule is a part of HIPAA that direct professionals and providers on how to appropriately safeguard information. With the shift toward technology for storing patient information and records, the security rule was enacted as well. This rule establishes safeguards directly related to technology and how to avoid technological breaches. Violating either the privacy or security rules, or any part of HIPAA, is considered a federal offense and there are both civil and criminal penalties. The enforcement rule was enacted in order to list out specific procedures necessary for investigating a breach of conduct. Professionals must always be compliant during investigations. Additionally, it lists out penalties for not following any rules. Breaches are taken so seriously because they have many consequences for not only the perpetrator, but also the patient, as evidenced in figure 1 (Health Information Privacy).

Untitled1Figure 1: Lists of the different consequences for health practices and patients when HIPAA is violated (Health Information Privacy).

Historical Context

Enacted in 1996, this broad healthcare reform was initially called the Kennedy-Kassebaum bill. Congress drafted it with two purposes in mind. The first aim reflected the “portability” part of the current name of the name; congress was trying to ensure that individuals could keep their health insurance as they transitioned between jobs. The second aim reflected the “accountability” part of the current name of the act (“HIPAA Background”).

Before 1996, there was no legislation concerning the protection of healthcare information. Around 1970, Congress started passing legislation concerning the protection of other citizen information like drivers’ records and school records; however, nothing concerning any form of health record protection was passed until 1996. It took so long for an act such as HIPAA to be passed because there is such a large number of people and entities that have access to and disposal of health care information that it seemed like such a large feat to be able to somehow regulate a network on this scale. Moreover, professionals realized that as the United States progressed in to the digital age, regulation would take on a totally different form and require different means. Politicians, health care workers, and constituents alike wondered if an act like this would actually come to fruition (“HIPAA Background”).

With the passage, there have been small modifications as technology and different forms of health care storage have advanced. The Privacy Rule was added in 2002 to keep pace with advancements in how information was being shared (“Beyond the HIPAA Privacy Rule:”). The Security Rule was created soon after to standardize how electronic information could be “created, received, used, or maintained” by an entity (“The Security Rule”).

The last major government attention given to HIPAA came in 2010 alongside the Affordable Care Act. The government expanded HIPAA to decree new standards for insurance transactions; these included the transfer of electronic funds, claims attachments, and the enforcement of health plan identifiers, which were actually called for in the original 1996 act (‘Timeline of Key Statues and Limitations”).

 

Controversy

            The continued modification of HIPAA, in particular the addition of the Privacy and Security rules, has caused a blurred line for those who wish to use patient information in the name of serving the greater good, i.e. doing research. While the protection of patient information and medical research are both beneficial to the individual and society, HIPAA has made it difficult to use even non-patient-identifiable information for research purposes without causing unrest amongst those who are weary of their information being spread. Research studies can take patient information ranging from general physical profile to smoking habits to someone’s genome; however, all of this information can be studied to make conclusions that can hopefully be generalized to the entire population (“Beyond the HIPAA Privacy Rule”).

Although patients are more willing to let their information be released if they know its being protected, the Privacy rule has not completely eliminated the public’s concern. Except for with “express notice and consent,” the majority of people do not want their information going anywhere (Feld). Many argue that this could be considered a debate over research subject protection, as in protecting the autonomy and safety of those involved in studies (Feld). HIPAA has drawn more attention to the flow of patient information and now this flow is under the scrutiny of the public eye. HIPAA has made it much harder for information to be shared for research purposes, as there are many checks and balances as evidenced in figure 2.

UntitledFigure 2: A flow chart demonstrating all the check points that must be passed before Protected Health Information (PHI) can be used in research (“Is Your Research Covered…”).

When the privacy rule was in its beginning stages, researchers were quick to see their impending detriment and point out where this rule would thwart research advancements. They urged lawmakers not to include research in the privacy regulations so that the scientific community could continue to have access to information. There were repetitive reminders from this community that the information being used was non-patient-identifiable and that its uses had potential benefits for the greater good of society (“Beyond the HIPAA Privacy Rule:”). Many proposed that instead of trying to specify all the times that sharing of information was permissible, that the HHS should have “chosen instead to specify all permissible uses or disclosures of identifiable health information by those entities covered by HIPAA” (Kulynynch). Researches were accustomed to being able to take any information that was non-identifiable and use it at their disposal; however, the prospects for articles of the privacy rule much more precisely defined what was “identifiable” information than federal research regulations did (Kulynynch).

Numerous polls, surveys, and expert opinions have expressed concern over the scientific community’s lack of access to health care information now. Educational organizations, health institutions, and researchers alike have provided recommendations to the U.S. Department of Health and Human Services as to how to amend HIPAA and its provisions regarding the strict regulation of research. With little progress being made, many have concluded that HIPAA impedes the ability for researches to provide beneficial knowledge to society (“Beyond the HIPAA Privacy Rule:”).

 

Relation to Politics of Health

HIPPA is related to politics of health because it is a form of biopower. Micheal Foucault crafted the term as a means to express how members of a population were becoming “the object of intervention for the techniques and strategies of those who are able to exercise power” (Stavrianakis 279). Populations and its individual members are becoming more subjected to the control of government, and that as different divisions of government emerge, control techniques become more and more meticulous. Although HIPAA does have articles and rules in place to ensure the confidentiality of patients, it also puts a lot of responsibility and control in to the hands of professionals and health care providers. While it has protective intentions, HIPAA is not preventative of those who wish to mishandle information; it is on health care providers to be accountable and hold themselves to the HIPAA standards. As evidenced by the examples through out this entry, the proper handling of information is entirely up to the health care providers. Unless someone is caught misusing information, there is no real way to account for the ways that information is being spread. One could argue that HIPAA is one of the “ways through which humans beings are made subjects” as humans and their privacy become increasingly subjected to the whims of the government (Stavrianakis 279). Protection of health care could at first have been considered a trail and error run by the government as many were unsure how HIPAA would pan out. This is a clear example of biopower as an entire population is controlled by different policies as a means to preserve the disciplinary power of the government (Kelly).

HIPAA is also related to politics of health because it has to confront obstacles dealing with informed consent, especially in relation to the research controversy mentioned above. Ruha Benjamin discusses informed consent in juxtaposition with informed refusal in “Informed Refusal: Toward a Justice-based Bioethics.” Ruha says that “’informed consent’ implicitly links the transmission of information to the granting of permission on the part of … research subjects” (Benjamin 967). Those who agree for their information to be used in research studies want to know exactly how their information will be used, who will see it, and if they will be linked to it in any way at all. When research is used for one study, there is not much protocol in place about reconsent for the additional use of information. This issue, called “benefit sharing” walks the line between accountability for “science in the public domanin and accountability to the community” (Benajmin 976). Informed consent is important in regards to HIPAA because those who agree to share information need to know exactly where its going in order navigate the matrix of what sharing breaches HIPAA and what sharing does not.

 

 

Works Cited

 

Benjamin, Ruha. “Informed Refusal.” Science, Technology, & Human Values, vol. 41, no. 6, 2016, pp. 967–990., doi:10.1177/0162243916656059.

 

“Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research.” National Center for BioTechnology Information, Institute of Medicine (US) Committee on Health Research and the Privacy of Health Information: 2009, www.ncbi.nlm.nih.gov/books/NBK9576/.

 

Feld, Andrew D. “The Health Insurance Portability and Accountability Act (HIPAA): Its Broad Effect on Practice.” American Journal of Gastroenterology, 1 July 2005, pp. 1440–1443., doi:10.1111/j.1572-0241.2005.50621.x.

 

“Health Information Privacy.” Health and Human Services, Department of Health and Human Services, www.hhs.gov/hipaa.

 

“HHS OCR – Your Health Information, Your Rights.” Department of Health and Human Services, 16 Feb. 2012.

 

“HIPAA Background.” Biological Sciences Divison, University of Chicago, Feb. 2010, www.bing.com/cr?IG=6F02F7FC8F984BFAA158E6461B49D5C4&CID=09130E4B3720653616D705DC368F64AB&rd=1&h=GV6SlrlJbFKNYregfIIR6nEiKvwfLAL9NiL76hrF2fo&v=1&r=http%3a%2f%2fhipaa.bsd.uchicago.edu%2fbackground.html&p=DevEx,5069.1.

 

“HIPAA Case Examples.” US Department of Health and Human Services, Office for Civil Rights, www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples.

 

“HIPAA Title Information.” CA.gov, California Department of Health Care Services, www.dhcs.ca.gov/formsandpubs/laws/hipaa/Pages/1.10HIPAATitleInformation.aspx.

 

“Is Your Research Covered by HIPAA’s Privacy Rule.” Research and Economic Development, University of Missouri – Kansas City, ors.umkc.edu/research-compliance-(iacuc-ibc-irb-rsc)/hipaa/umkc-privacy-board.

 

Kelly, Mark. “Michel Foucault: Political Thought.” Internet Encyclopedia of Philosophy, www.iep.utm.edu/fouc-pol/#H7.

 

Kulynych, J. “The New HIPAA (Health Insurance Portability and Accountability Act of 1996) Medical Privacy Rule: Help or Hindrance for Clinical Research?” Circulation, vol. 108, no. 8, 2003, pp. 912–914., doi:10.1161/01.cir.0000080642.35380.50.

 

Starr, Paul. “The Signing of the Kennedy-Kassebaum Bill, by Paul Starr.” Princeton University, The Trustees of Princeton University, www.princeton.edu/~starr/articles/signing.html.

 

 

Stavrianakis, Anthony. 2013. Foucault, Michel. In Theory in Social and Cultural Anthropology : An Encyclopedia. Eds. Warms, Richard L., and R. Jon McGee. Thousand Oaks, California: SAGE Publications, Inc. Pages: 277 – 280.

 

“The Security Rule.” Health and Human Services, Department of Health and Human Services, 12 May 2017, www.hhs.gov/hipaa/for-professionals/security/index.html.

 

“Timeline of Key Statutes and Regulations” www.cms.gov/Regulations-and-Guidance/Administrative-Simplification/HIPAA-ACA/Downloads/TimelineofKeyStatutesandRegulations20160725.pdf.

 

United States, Department of Health and Human Services, Office of Civil Rights. “Your Health Information Privacy Rights.”

Additional Resources

Examples of Case Studies of HIPAA Breaches: https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples

How to file a HIPAA breach:https://www.hhs.gov/hipaa/filing-a-complaint/complaint-process/index.html Here you can see the somewhat long process for filing a HIPAA breach. An interesting question to ponder: does having such a tedious process for filing a HIPAA breach deter people from even reporting in the first place? Is this process a sort of safety-net for health care providers and institutions?

News related to HIPAA breaches: https://www.hhs.gov/hipaa/newsroom/index.html Here, one can see some of the most drastic consequences for failing to miss be compliant with one part of HIPAA. Consequences are often very expensive for companies and health care providers.

« Back to Glossary Index
Bookmark the permalink.