The Health Insurance Portability and Accountability Act (HIPAA) contains administrative simplification provisions that are designed to encourage health care providers and health plans to process health claims and payments (and to perform other administrative functions) electronically, using standard transactions and uniform code sets. The administrative simplification provisions also include privacy and security safeguards for protected health information (PHI) held by health care providers, insured or self-insured health plans or billing clearinghouses (collectively referred to as covered entities).
A. Permitted Uses and Disclosures of Protected Health Information
The HIPAA privacy regulations limit the use and disclosure of PHI, and learning the details of permitted use and disclosure will be one of the most important tasks facing covered entities. In simplified form, permitted uses and disclosures fall into the following categories:
1. Disclosures to the individual, which require only a request by the individual;
2. Disclosures to the Secretary of the U.S. Department of Health and Human Services, which require only a request by the Secretary;
3. Uses and disclosures for treatment, payment or health care operations, which require no affirmative action on the part of the individual other than seeking treatment or payment for health care;
4. Uses and disclosures that require the individual to have an opportunity to agree or object;
5. Uses and disclosures for specific purposes listed in the regulations, which require no affirmative action on the part of the individual; and
6. Uses and disclosures that do not fall into any of the other categories, and for which an authorization is therefore required.
Although the applicable regulations address all of the above-described categories, uses and disclosures that are subject to an opportunity to agree or object, and uses and disclosures that require no further action on the part of the individual are especially noteworthy.
B. Uses and Disclosures Subject to an Opportunity to Agree or Object
PHI may be used or disclosed in facility directories and to persons involved with the patient's care or payment for care if the patient is given an opportunity to agree or object. In this regard, oral communication is sufficient to obtain the individual's agreement or objection.
More specifically, a provider may use the individual's name, location in the facility, general condition, and religious affiliation for a facility directory. That information may be disclosed to a member of the clergy and, except for religious affiliation, to any person who asks for the individual by name. Special provisions apply if the individual is incapacitated or if there is an emergency treatment situation.
A provider or health plan may also disclose PHI to a family member, close personal friend, or other person identified by the individual if the PHI is directly relevant to such person's involvement with the individual's care or payment for the care. In addition, a provider or health plan may use or disclose PHI to notify a family member, personal representative, or other person responsible for the care of the individual of the individual's location, general condition, or death. The requirements for these uses and disclosures differ depending on whether the individual is present or not, and whether a use or disclosure for notification purposes is part of disaster relief efforts.
C. Uses and Disclosures That Require No Action on the Part of the Individual
The privacy regulations list nine categories for which both uses and disclosures are permitted by covered entities, and three categories for which disclosures are permitted, with no action required on the part of the individual. Uses and disclosures are permitted:
1. As required by law;
2. For public health activities;
3. For health oversight activities;
4. About decedents;
5. For cadaveric organ, eye, or tissue donation purposes;
6. For research purposes;
7. To avert a serious threat to health or safety;
8. For specialized government functions; and
9. For workers' compensation.
Disclosures are permitted:
1. About victims of abuse, neglect, or domestic violence;
2. For judicial and administrative proceedings; and
3. For law enforcement purposes.
The use and disclosures permitted under these provisions may only be made by or to certain entities, and only for certain purposes.
Most covered entities must comply with the HIPAA privacy regulations by April 14, 2003 (although some health plans have an additional year). As part of preparation for the deadline, covered entities should review how they currently use and disclose PHI, compare their uses and disclosures to those permitted by the regulations, and adjust their procedures to ensure that they will be in compliance with the regulations.