HIPAA is the Health Insurance Portability and Accountability Act of 2003 (Privacy) and 2005 (Security). This act includes the HIPAA privacy and security rules created to establish national standards to protect individuals' medical records and other protected health information (PHI).
What Are My Rights Under HIPAA?
A series of short educational videos is available at HealthIT.gov to help individuals better understand their right to see and get their health information and to have that information sent to others of their choosing (including family members, caregivers, or a mobile device application).
You have the right to inspect and obtain a copy of your protected health information.
You have the right to request a restriction of your protected health information.
You have the right to request to receive confidential communication from us by alternative means or at an alternative location.
You have the right to request an amendment to your protected health information.
You have the right to receive an accounting of certain disclosures we have made, if any, of your protected health information.
You have the right to obtain a copy of this notice from us.
You have the right to file a complaint.
You have the right to receive a notice following a breach of your unsecured PHI.
Those required to comply with these standards set by Congress include health plans, healthcare clearinghouses and healthcare providers who conduct certain financial and administrative transactions electronically. These entities (collectively called "covered entities") are bound by the standards even if they contract with others (called "business associates") to perform some of their essential functions. In compliance with these regulations, Baptist Health:
- Provides information to patients about their privacy rights and how their information can be used.
- Has privacy/security policies and procedures for its practice or hospital.
- Trains employees so that they understand the policies and procedures.
- Employs a Privacy Officer and a Chief Information Security Officer to be responsible for seeing that the policies and procedures are adopted and followed.
- Secures patient records containing PHI so that the records are not readily available to those who do not need them.
The American Recovery and Reinvestment Act of 2009 contains a set of provisions known as the Health Information Technology for Economic and Clinical Health Act (HITECH Act). This Act modifies the existing HIPAA privacy and security requirements by providing for the following:
- Increases civil monetary penalties for HIPAA violations.
- Requires business associates to comply with the HIPAA Security Rules.
- Defines what constitutes a breach and the notification requirements for certain breaches to be reported to patients, the media and the Office of Civil Rights.
- Imposes restrictions on certain types of disclosures (e.g. sale, marketing of PHI).
To report a privacy/security violation or to request additional information, please contact the Privacy Office at (501) 202-6776 or email Compliance@baptist-health.org.
What is Protected Health Information (PHI) (Otherwise known as "individually identifiable health information")?
How are covered entities (like our healthcare system) expected to determine what is the minimum necessary information that can be used, disclosed or requested for a particular purpose?
How is minimum necessary defined?
Do the minimum necessary requirements prohibit covered entities from maintaining patient medical charts at bedside, require that covered entities shred empty prescription vials or require that X-ray light boards be isolated?
What is an Authorization?
What information can a hospital provide if one inquires about a patient by name?
If healthcare providers engage in confidential conversations with other providers or with patients, have they violated the rule if there is a possibility that they could be overheard?
- Healthcare staff may orally coordinate services at hospital nursing stations.
- Nurses or other healthcare professionals may discuss a patient's condition over the phone with the patient, a provider or a family member.
- A healthcare professional may discuss lab test results with a patient or other provider in a joint treatment area.
- Healthcare professionals may discuss a patient's condition during training rounds in an academic or training institution.
Does the Privacy Rule require hospitals and doctors' offices to be retrofitted, to provide private rooms and soundproof walls to avoid any possibility that a conversation is overheard?
Can a physician's office or hospital FAX patient medical information to another physician's office or hospital?
Can we still use the sign-out/in sheets at the desk to track patient locations off the unit?
How will this affect students having access to patient information during their training?
Are hospitals able to inform the clergy about parishioners in the hospital?
- the individual's name;
- location in the facility;
- health condition expressed in general terms; and
- religious affiliation. The facility may disclose this directory information to members of the clergy. For example, a hospital may disclose the names of Methodist patients to a Methodist minister unless a patient has restricted such disclosure.
A hospital customarily displays patients' names next to the door of the hospital rooms that they occupy. Will the Privacy Rule allow the hospital to continue this practice?
Can physician offices use patient sign-in sheets or call out the names of patients in their waiting rooms?
For additional information or questions, please contact Dana Williams, Privacy Officer, at (501) 202-6776.