The History of HIPAA

In this lesson, we'll dig a little deeper into what HIPAA is, what it covers, the evolution of protecting healthcare patient data, and the benefits that this legislation produces.

In the 1990s, as the internet was coming onto the scene and growing rapidly, congress recognized the need to establish a system that would help enforce the rights of patients and at the same time, protect the privacy of their medical records.

This need and the realization of it led to the creation of the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA. Eventually, additional layers of protection would follow with more legislation.

As health records were becoming digitized, this led to the HITECH Act of 2009, also known as the Health Information Technology for Economic and Clinical Health Act of 2009. And finally …

The Omnibus rule of 2013 expanded how technology companies protected healthcare data, while also enforcing the security and policies set forth by the Health and Human Services Office for Civil Rights.

This important U.S. legislation provides data privacy and security provisions for safeguarding medical information. It includes the portability of insurance information between covered entities and providers to insurance companies. And it covers the protection and privacy of healthcare information transmitted electronically.

Obvious benefits of such legislation include helping to improve the standardization and efficiency in healthcare data and helping to prevent discrimination and fraud.

A Word About PHI Guidelines

Remember, for information to be considered PHI – Protected Health Information – it must be healthcare-related and it must be identifiable, as in used to identify the person whose information it is.

PHI can include demographic information, medical records, services rendered, and payment and billing information. And more importantly, as it pertains to this section, PHI can be:

• In electronic form
• In paper form
• Orally delivered

And now let's turn from the theoretical to the practical with a question: What can covered entities and business associates do to better protect this information?

It depends on how the information was delivered or in what form it currently resides. But whatever form that PHI takes, we have a set of guidelines that will help you protect it. (On a side note, if you were longing for some lists, you're going to be very excited.)

In-Person Conversations Guidelines

• Discuss Patients PHI in private.
• Use an office with a door whenever possible or leave areas where others can overhear.
• Be aware of those around you and lower your voice when discussing a patient's health information.
• If possible, point out health information on paper or on-screen nonverbally when discussing a patient's health information.

Telephone Conversations Guidelines

• Follow the above guidelines plus …
• Don't use names; instead say "I have a question about a patient."
• Never give PHI over the phone when talking to unknown callers.
• Never leave PHI on voice messages. Instead leave a message requesting a return call to discuss a patient, and leave only your name and phone number.
• Do not discuss PHI over unencrypted cellular or portable (wireless) phones or in an emergency, as the transmissions can be intercepted.

Texting Guidelines

• Use a secure text messaging system.
• Develop, document, and implement your organization's mobile device policies and procedures to safeguard health information.

Faxing Guidelines

• Put fax machines in a safe location. That means in places where people don't have access to them who shouldn't.
• Use a cover sheet clearly identifying the intended recipient and include your name and contact information on the cover sheet.
• Do not include or reference any PHI on the cover sheet.
• Confirm the fax number is correct before sending.
• Whenever possible, send all faxes containing patient health information only when the authorized recipients are there to receive them.
• Verify that the fax was received by the authorized recipient; check the transmission report to ensure the correct number was reached and, when necessary, contact the authorized recipient to confirm receipt.
• Deliver received faxes to the recipient as soon as possible.
• Do not leave faxes unattended at the fax machine.

Emailing Guidelines

• Do not include PHI in the subject line or the body of an email.
• Transmit PHI only in a password-protected attachment. (MS Word and MS Excel both provide password protection.)
• Include a confidentiality attachment in any emails that contain attachments with PHI.
• Do not send attachment passwords in the same email as the attachment.
• Include your contact information (at minimum, your name and phone number) as part of the email.
• Set email sending options to request an automatic return receipt from your recipients.
• Request that email recipients call to discuss specific patient data.
• Do not store emails or email attachments with PHI on your hard drive. Instead, copy and store to a secure server.
• Delete all emails and their attachments when they are no longer needed.

Courier and Regular Mail Guidelines

• Use sealed and secured envelopes to send PHI.
• Verify that the authorized person accepting the package has received it.
• Deliver all mail promptly to the recipient.
• Mailboxes must be in safe areas and not located in public or high-traffic areas.

Inter-Office Mail Guidelines

• Put PHI in closed inter-office envelopes. As an added precaution, put PHI in a sealed envelope first.
• Identify the recipient by name and verify the mail center address.
• Distribute inter-office mail promptly to recipients. Do not leave it unattended in mailboxes.
• Where practical, use lockable containers (e.g. briefcases) to transport correspondence that contains PHI.