What is HIPAA Really? A Rule by Rule Breakdown

The HIPAA Privacy Rule and Home Health Agencies

HIPAA (Health Insurance Portability and Accountability Act of 1996) addresses the protection of individually identifiable health information. Everyone in healthcare is familiar with HIPAA and the general precautions taken to be "HIPAA Compliant" but few really understand the full scope of the legislation. The HIPAA rules are comprised of several sections, such as the Privacy Rule, the Security Rule and Enforcement Rule. 

Click here to read the complete HIPAA regulation text provided by the Department of Health and Human Services. 

HIPAA: The Privacy Rule

The Privacy Rule came into effect on April 14, 2013 and describes the allowable communications conducted by and between insurance companies, clearinghouses and providers, like home health agencies. Insurance companies, clearinghouses and providers are called "covered entities". Communications that fall under the Privacy Rule among covered entities such as an authorization requests, eligibility inquiries and claim transmissions. It further defines the type of information that these transactions carry as "individually identifiable health information" specifically referring to information about a person's health status or any received treatments at any point during his or her lifetime. Here are important and applicable elements of the Privacy Rule:

Identifiable Information

Identifiable information refers to information that can be used to identify a specific individual. For example, just a name without any other identifying elements probably can't pin point a specific person residing in the US but if a date of birth, address or social security number are added then the information falls under the HIPAA rule. There are no limitations on the use of protected health information (PHI) that cannot easily be linked to an individual.

Business Associates

A Business Associate is any person or organization a covered entity works with, besides people who are directly employed by the covered entity. This includes billing companies, staffing companies, consultants, accountants, attorneys and any other individuals or companies that have access to protected health information. Because Business Associates are not covered entities, home health agencies (and all other covered entities) are required to maintain Business Associate Agreements with any Business Associate they interact with. The Business Associate Agreement is a contract that outlines the appropriate and inappropriate uses of individually identifiable health information.

Rights of the Individual

The written authorization of the individual or their representative is required for use of PHI outside of the scope of the Privacy Rule. Covered entities cannot require that an individual provides consent as a condition of services and can't alter payment requirements in any way as a result of receiving or not receiving written consent. For example, a home health care agency can't reduce charges for home health services if a written consent is signed by the patient authorizing the agency to use the patient's information for marketing purposes. 

Individuals also have the right to restrict the use of their information. For example, a patient may request that their information not be shared with specific family members or other providers. The home care company needs to respect and follow the requests of the individual except in the case of a medical emergency.

Individuals may request their entire medical record and can also request amendments to those records if they are incomplete or inaccurate.

A patient can also ask for a list of disclosures of their information made outside the scope of the Privacy Rule.

Patients may request that covered entities employ specific methods of communicating with them. For example, a patient may request all communication via mail to a specific address, instead of email or phone. The agency must, as long as the request is reasonable and doesn't impede on the actual treatment or services provided, honor the patient's request.

Agencies must provide each patient with a notice of Privacy Practices upon the first encounter with the patient.

Data Use and Protection

1. Minimum Necessary Use: Covered entities must only provide the minimum information necessary to the person requesting information. Entities requesting information must only request the minimum information they need.

2. Personnel: All employees, volunteers and other members of the HHA's workforce must be trained regarding the requirements and standards of the HIPAA Privacy Rule. The agency must designate a staff member to enforce the policies and procedures related to HIPAA, and to act as the official contact person of the organization in case of complaints or other inquiries regarding privacy procedures. 

3. Safeguards: Covered entities have to ensure that the appropriate actions are taken so that protected health information isn't easily accessible to individuals not associated with the the organization. For example, agencies need to make sure that their records are kept in lockable cabinets or rooms that only home health staff can access; that computers and programs containing private patient information are locked with secure passwords; and that documents are shredded when discarded.

4. Marketing: Written authorization must be obtained if a patient's information is to be disclosed for marketing purposes. Exceptions to the definitions of marketing applicable to home health agencies are:

   1. If a covered entity directly providing services or treatment to a patient informs the patient of other services or treatment that is directly available by the same covered entity.

   2. If a covered entity directly providing services or treatment to a patient recommends alternative treatment or care by other health providers or in another setting. 

Acceptable Use of PHI

Health information can be used without the written consent of the individual or their representative in the following circumstances:

1. Providing health information to the patient is permitted under the HIPAA Privacy Rule. There is no need for extra precautions or any additional consents.

2. Protected health information can be shared within the organization of a covered entity or between two or more covered entities if all involved people/organizations are participating in the care of the individual. Activities relating to the treatment such as coordinating services and referring a patient between healthcare providers; payment arrangements such as eligibility and authorization inquiries and reimbursement related activities; and health care operations such as chart audits, quality improvement activities and business planning.

3. Health information can be used with the informal approval of the patient or representative when used in a facility directory, such as a hospital where family members can ask about where in the hospital the patient is located just by providing a name; and in the case of health notifications and other uses related to family members and friends such as the ability to pick up a prescription for another person.

4. PHI can be used in common healthcare practices as long as efforts are made to limit the amount of protected health information used in these instances. An example is providers discussing the health status of a patient with that patient or another provider in a hallway or waiting area of a hospital. HIPAA does not limit the ability of healthcare staff to conduct these vital communications that facilitate timely and appropriate care as long as the proper safeguards are used, such as speaking quietly, limiting the use of the patients name, maintaining policies about who can access confidential medical records via locked cabinets or chart rooms, password protected computer systems and so on.

5. Covered entities can disclosed PHI when required by court or regulation, in relation public health activities such as reporting a communicable disease to the CDC, in reporting abuse, neglect or health oversight, in response to a subpoena, for law enforcement reasons, organ donations or research, to report a safety or health threat, or to comply with worker's compensation laws.

6. Health information can be used for limited data sets as long as the business associate receiving the data set agrees to enforcing appropriate safeguards to the PHI. A limited data set is information where some identifying information is taken out.