The Health Insurance Portability and Accountability Act (HIPAA) is a federal issue and was signed into law by President Clinton in 1996. This Act ensures that people can renew or obtain health insurance in the event of loss of job or job change. This ensures portability between work settings and would reduce and hopefully eliminate discrimination against those with a pre-existing medical condition. This legislation was expanded to include administrative simplification and health care abuse and fraud that, for the most part, focused on issues related to the privacy of patient health information.
Administrative simplification falls into two categories, standardizing shared electronic information and protecting the privacy and security of patient information that is stored in the electronic medical record. The privacy of patient information drove the writing of the Privacy Rule. The US Department of Health and Human Services (HHS) issued the privacy rule to be implemented as a requirement of the Health Insurance Portability and Accountability Act of 1996. The requirements are described in the HIPAA Privacy Rule Summary.
HHS published a proposed rule defining privacy standards for individually identifiable health information on November 3, 1999. The proposed rule was available to the public for review, and the resulting public-generated comments exceeded 52,000. These comments were organized and generated in response to the proposed rule. HHS considered the comments and issued a final rule on December 28, 2000 that formally established standards for the privacy of individually identifiable health information, more commonly known as Privacy rule.
The Privacy Rule standards address the use and disclosure of individuals’ health information called protected health information. Organizations that must demonstrate compliance with privacy standards for individuals’ privacy rights must understand and control how their patients’ health information is used. The privacy rule describes the rules that govern the access, use and disclosure of personal health information.
The O’Neill Institute (2009) wrote an executive summary that defines the ultimate goal of the privacy rule: to ensure that a person’s health information is easily accessible to health care providers authorized to access the information and that the person’s health information is also kept confidential and protected from inappropriate use.
Since the enactment of the Privacy Rule there has been much confusion and misunderstanding about how the Privacy Rule applies to various situations. The final privacy rule was enacted in 2001, and special guidelines were written to address concerns about the application of the privacy rule to unique health care activities. Within HHS is the Office for Civil Rights (OCR). This office is responsible for implementing and enforcing the Privacy Rule with respect to compliance activities. Financial fines are imposed for non-compliance by health entities.
The notice of privacy practices must be in writing and patients must be informed of their rights regarding their personal health information. These rights covered access to medical records, amendment of information contained in your personal medical record, counting of persons who have had access to your medical information, and special request to limit disclosure of sensitive information. When the electronic health record began to emerge, other concerns regarding the protection of health information had to be addressed on a different level.
The American Recovery and Reinvestment Act (ARRA) was passed in 2009. Health Information Technology for Clinical and Economic Health (HITECH) was passed as part of ARRA. The goal of funding this initiative was to develop advanced health information technology that would be used throughout the country and encourage organizations to participate and adopt a culture that represents advanced health information organizations. Healthcare facilities are expected to have a certified electronic health record that is compliant with HIPAA, Privacy Rule, HITECH, and ARRA requirements. If this is accomplished, the health care facility would be allocated additional funds to assist with the provision of patient care. Full implementation of an electronic system is expected to be ready by the end of 2013.