On August 21, 1996, President Bill Clinton signed the Health Insurance Portability and Accountability Act (HIPAA) into law. High healthcare costs due to multiple administrative and provider levels led legislators to create a more simplified process to administrate the business of healthcare in the United States. However, because this act, by its very nature, would jeopardize patient privacy, regulatory safeguards were provided to cover electronic transmissions, privacy, and security.
The healthcare workforce, including both new hires and established workers, who have contact with protected health information (PHI) are required to receive HIPAA training on a regular basis. In order to achieve this and to monitor compliance, each covered entity is required to have a designated HIPAA compliance officer.
This article will focus on specific sections of HIPAA that are of particular importance to nurses, including:
- standards for electronic transactions security
- national identifiers for users in healthcare transactions.
Protected healthcare information
PHI is utilized by clinical-care nurses on a daily basis, and it's important to understand the core elements of the Privacy Rule (see Privacy Rule definitions). A minimum of general patient information can be released. For example, patient names can be listed on the outside of hospital rooms. Patient information services can release information such as "Mrs. Jones is a patient on the third floor," but not "Mrs. Jones has been admitted to the third floor in a diabetic coma." Nurses can communicate with other members of the healthcare team caring for the same patient. Nursing students should also receive training in HIPAA before their clinical rotations.
According to HIPAA guidelines, disclosure of PHI is limited to the individual patients and their legally authorized representative, the Department of Health and Human Services, and legal entities as defined by state law (see Examples of PHI). There are, however, exceptions to the Privacy Rule, which include, but aren't limited to, reporting of victims of abuse, neglect, or domestic violence. Patients must be provided with a written copy of the organization's Notice of Privacy (in its entirety), which specifies their individual right to restrict the use or disclosure of this information.
For nurses, this is the section that prohibits discussions of PHI in the presence of unauthorized individuals, including other patients, family members, and visitors, in common or public areas where you may be overheard or when using telecommunication devices that aren't secure. If you're required to fax PHI, you're expected to use reasonable and appropriate safeguards to ensure its security. Each entity should have specific policies in place to address appropriate safeguards for conveying PHI by e-mail, fax, and verbal communication. Many institutions are currently utilizing encryption systems, and case managers continue to require appropriate authorizations.
HIPAA provides the minimum standards for covered entities. Law enforcement isn't a covered entity. PHI may be disclosed without authorization when deemed necessary for public safety. There should be institutional policies in place to guide nurses regarding unauthorized disclosures to law enforcement.
As a clinical-care nurse, you may also participate in research. It's important to distinguish the areas of your responsibilities that are patient centered and those that are research centered because the Privacy Rule makes a clear distinction. For example, if you're rendering clinical care, you're allowed to have access to PHI to properly carry out your job. However, if you want access to PHI to make clinical comparisons of response to treatment or answer another research question, the hospital admission authorization wouldn't apply. In that circumstance, the nurse researcher would be required to request either authorization from the patients or a waiver of authorization because the information will be used for a purpose other than the purpose indicated on the hospital admission consent. In cases involving waiver of authorization, the final determination rests with a privacy board or the Institutional Review Board. In general, you'll see waivers requested for retrospective chart reviews.
Standards for electronic transactions security
The Modifications to Electronic Data Transaction Standards and Code Sets appeared in the Federal Registry in 2003 and was universally required by October 2004. It requires the use of standardized transaction with common codes sets, generally adopted from ICD-9 CM and CPT-4. Compliance with HIPAA is the responsibility of the compliance officer of the covered entity.
This section focuses on the Security Rule, which protects electronic PHI (or ePHI) from unauthorized access. Security access in this context is different from privacy, but they're clearly interrelated. Each covered entity is required to have systems in place, not only for access, but also for specific levels of access permitted to enable each employee to perform his or her duties. Each person logging on to the electronic system must be identified with a specific log-in and password, which should be private, secure, and periodically updated. Because many of us are using common computer terminals during the workday, it's important to keep your password and log-in information secure and not share it with colleagues.
National identifiers for users in healthcare transactions
There are unique identifiers for participants in healthcare claims, including healthcare providers, health plans, employers, and patients. Each nurse should be able to identify him or herself or his or her employers as covered entities, healthcare providers, or business associates. You should become familiar with the compliance officer for your organization in case of questions, concerns, or updates.
Regulations may change in response to new legislation. It's the responsibility of each nurse to know his or her organization's privacy policies and how to follow established HIPAA policies (see Compliance tips).
Keep up to date on the latest changes
Resources for keeping up to date on the latest policies and amendments, as well as access to frequently asked questions include:
- Department of Health and Human Services: http://www.hhs.gov
- Centers for Medicare and Medicaid Services: http://www.cms.hhs.gov and search HIPAA links
- Office of the Federal Register: http://www.gpoaccess.gov/
- HIPAA Hotline: 1-866-282-0659.
Privacy Rule definitions
- Covered entity refers to healthcare providers, plans, and clearinghouses that engage in specific, standard electronic transactions.
- PHI is defined as all individually identifiable health information held or transmitted by or to the covered entity in any form or media, whether electronic, paper, or verbal.
Source: U.S. Department of Health & Human Services. Summary of the HIPAA Privacy Rule. http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html.
Examples of PHI
- Date of birth
- Social security number
- Device identifiers/serial numbers
- Full-face photos
Source: U.S. Department of Health and Human Services, Office for Civil Rights. Standards for privacy of individually identifiable health information. 45 CFR 164.514(b)(2)(i) December 28, 2000, amended April 17, 2003.
- Don't share computer log-ins or passwords to systems containing PHI.
- Never leave medical records unattended in public areas.
- Dispose of items containing PHI appropriately.
- Be sure to log out of computer or data systems containing PHI.
- Follow security systems for remote accessing of PHI.
- Activate the security settings of PDAs if they contain PHI.
- Avoid discussing patients in public places.
Source: U.S. Department of Health & Human Services. Understanding health information privacy. http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html.
Learn more about it
Anderson F. Finding HIPAA in your soup. Am J Nurs
Brous EA. HIPAA vs. law enforcement: a nurses' guide to managing conflicting responsibilities. Am J Nurs
Department of Health and Human Services. Does the HIPAA privacy rule permit covered entities to disclose protected health information, without individual's authorization, to public officials responding to a bioterrorism threat or other public health emergency?http://www.hhs.gov/ocr/privacy/hipaa/faq/disclosures_for_law_enforcement_purposes/397.html
DiBenedetto DV. The HIPAA toolbox. Lippincotts Case Manag
Krager D, Krager AH. HIPAA for Health Care Professionals
. New York, NY: Delmar Cengage Learning; 2008.
Muller LS. HIPAA compliance: implications for case managers. Lippincotts Case Manag
Neale AV, Schwartz KL. A primer of the HIPAA Privacy Rule for practice-based researchers. J Am Board Fam Pract
Nelson, SB, Privacy and Medical information on the Internet. Respir Care
Root J, Kibbe DC, Hubbard M, Hartley C. Field Guide to HIPAA Implementation
. Chicago, IL: American Medical Association Press; 2002.
Thompson BW. HIPAA guidelines for using PDAs. Nursing