Difference between revisions of "Health Insurance Portability and Accountability Act (HIPAA)"

From Clinfowiki
Jump to: navigation, search
(Implications to Clinical Information Systems)
Line 34: Line 34:
  
 
==Implications to Clinical Information Systems==
 
==Implications to Clinical Information Systems==
* Private Health Records (PHRs). See [[PHRs and HIPAA]]
+
* Personal Health Records (PHRs). See [[PHRs and HIPAA]]
  
 
== References ==
 
== References ==

Revision as of 15:49, 19 March 2012

The Health Insurance Portability and Accountability Act (HIPAA) sets national minimum privacy requirements for personal, protected health information (PHI). It protects the security and privacy of health data. HIPAA also encourages electronic data interchange among different electronic medical record systems.

History

In 1996 August 21, the United States Congress enacted the Health Insurance Portability and Accountability Act (HIPAA). It is also known as the Kennedy-Kassebaum Act.

Purpose of HIPAA

The purpose of HIPAA is to improve the efficiency, effectiveness, and security of the national health system.

  • Increase efficiency: paper work is reduced for healthcare providers due to an electronic system.
  • Reduce fraud and abuse: digital paper trail makes fraud prosecution easier.
  • Portability: an employee is guaranteed health insurance coverage, even when he changes jobs.
  • Security: increased security for patient health information and protect patient rights.
  • Accountability: protecting health data integrity, confidentiality and availability.

Security standards

Security refers to the ability to control access and protect information from disclosure to unauthorized persons.

To comply with the security standards, an electronic medical record (EMR) must have written, comprehensive security policies, access controls, control over the physical environment, clearance procedures, and a record of all access authorizations.

The Privacy Rule

The Privacy Rule defines the minimum Federal standards for protection of patient data by a covered entity for research and other purposes. It specifies who is a Covered Entity, what protected health information (PHI) is, and the conditions under which PHI can be distributed.

In general, there are three ways that PHI can be distributed by a Covered Entity under the Privacy Rule. The first is by the creation of De-Identified Patient Data. This process theoretically removes all individually identifying information from the patient record, allowing the data to be used to research or financial gain without the ability to link to the information back to a particular person. In reality, this has not been completely successful.

The second method is to get written permission from the patient to release their PHI.

[1]

Lastly, an Institutional Review Board (IRB) can also allow for use of Protected Health Information (PHI) in specific situations for certain types of research.

Implications to Clinical Information Systems

References

  1. http://dataprivacylab.org/projects/identifiability/index.html
  2. http://privacyruleandresearch.nih.gov/pdf/HIPAA_Privacy_Rule_Booklet.pdf