The Health Insurance Portability and Accountability Act (HIPAA) is a federal matter and was signed by President Clinton in 1996. This law ensures that people can renew or obtain health insurance in the event of job loss or change. This ensures portability in all work environments and would reduce and hopefully eliminate discrimination against those with a pre-existing medical condition. This legislation was expanded to include administrative simplification and health care fraud and abuse, most of which focused on issues related to the privacy of patient health information.
Administrative simplification falls into two categories, standardizing the electronic information shared and protecting the privacy and security of patient information that is stored in the electronic medical record. The privacy of patient information motivated the drafting of the Privacy Rule. The US Department of Health and Human Services (HHS) issued the Privacy Rule that would be implemented as a requirement of the Health Insurance Portability and Accountability Act of 1996. The requirements are outlined in the HIPAA Privacy Rule Summary.
HHS published a proposed rule defining privacy standards for individually identifiable health information on November 3, 1999. The proposed rule was available to the public for review, and the resulting public-generated comments exceeded 52,000. These comments were organized and generated in response to the proposed rule. HHS took the comments into consideration and issued a final rule on December 28, 2000 that formally established standards for the privacy of individually identifiable health information more commonly known as the Privacy rule.
The Privacy Rule standards address the use and disclosure of medical information of individuals named protected health information. Organizations that must demonstrate compliance with privacy standards for individuals ‘privacy rights must understand and control how their patients’ health information is used. The Privacy Rule describes the regulations governing access, use, and disclosure of personal health information.
The O’Neill Institute (2009) wrote an executive summary that defines the ultimate goal of the Privacy Rule: to ensure that an individual’s health information is easily accessible to healthcare providers who are authorized to access the information and that the person’s health information is also kept. confidential and protected from inappropriate use.
Since the promulgation of the Privacy Rule, there has been a lot of confusion and misunderstandings about how the Privacy Rule applies to various situations. The final privacy rule was enacted in 2001 and special guidelines were written to address concerns regarding the application of the privacy rule to unique healthcare activities. Within HHS is the Office for Civil Rights (OCR). This office has the responsibility to implement and enforce the Privacy Rule with respect to compliance activities. Monetary sanctions are imposed for non-compliance by health entities.
The notice of privacy practices must be in writing and patients must be informed of their rights based on their personal health information. These rights covered access to medical records, modification of information contained in your personal medical record, an accounting of the people who have had access to your medical information, and a special request to limit the disclosure of confidential information. When electronic health records began to emerge, additional concerns about the protection of health information had to be addressed on a different level.
The American Recovery and Reinvestment Act (ARRA) was passed in 2009. Health Information Technology for Economic and Clinical Health (HITECH) was passed as part of the ARRA. The objective of funding this initiative was to develop advanced health information technology that would be used throughout the country and would encourage organizations to participate and adopt a culture that represented advanced health information organizations. Healthcare facilities are expected to have a certified electronic health record that meets the requirements of HIPAA, the Privacy Rule, HITECH, and ARRA. If this is accomplished, additional funds will be allocated to the healthcare facility to assist with the delivery of patient care. Full implementation of an electronic system is expected to be in place by the end of 2013.