____________________________________________ Professional Ethics and Law in California, 2nd Edition
THE PRIVACY RULE (HIPAA) In the late 20th century, the problem of employees losing health insurance between jobs and the danger of healthcare fraud led to the creation and passage of an important new law (HIPAA Journal, 2017). In 1996 the 104th Congress amended the Internal Revenue Code of 1986 and created Public Law 104-191, the Health Insurance Portability and Accountability Act. This act established the first-ever national standards for the protection of certain health information, in an effort, not just to prevent fraud, but to protect client and patient privacy. These standards, developed by the Department of Health and Human Services, took effect April 14, 2003. The Privacy Rule standards address who can use, look at, and receive individu- als’ health information (protected health information or PHI) by organizations (covered entities) subject to the rule. These organizations include: • Most doctors, nurses, pharmacies, hospitals, clinics, nursing homes, and other health care providers • Health insurance companies, HMO’s, and most employer group health plans • Certain government programs that pay for health care, such as Medicare and Medicaid • Key provisions of the standards include the following: • Access to Medical Records: Patients may ask to see and get a copy of their health records and have corrections added to their health information. • Notice of Privacy Practices: Patients must be given a notice that tells them how a covered entity may use and share their health information and how they can exercise their rights. • Limits on Use of Personal Medical Information: The privacy rule sets limits on how health plans and covered providers may use individually identifiable health information. Generally, health information cannot be given to the patient’s employer or shared for any other purpose unless the patient signs an authorization form. • Prohibition of Marketing: Pharmacies, health plans, and other covered entities must first obtain an individual’s specific authorization before disclosing their patient information for marketing. • Stronger State Laws: As stated earlier, confidentiality protections are cumulative; any state law providing additional protections would continue to apply. However, should state law require a certain disclosure – such as reporting an infectious disease outbreak – the federal privacy regulations would not preempt the state law.
• Confidential Communications: Patients have the right to expect covered entities to take reasonable steps to ensure communications with them are confidential. For example, a patient may want to be called on their work phone rather than home telephone. Complaints: Patients may file a formal complaint regarding privacy practices directly to the provider, health plan, or to the HHS Office for Civil Rights. Consumers can find out more information about filing a complaint at https://www. hhs.gov/hipaa/filing-a-complaint/index.html or by calling (800) 368-1019 It is very important to know that professionals who work in the mental health field are responsible for following and enforcing the HIPAA Privacy Rule. There can be severe civil and criminal penalties if procedures are not followed, and depending on the situation, an individual employee may be held responsible for not protecting a client’s privacy. For unknowing civil violations of the standards, the Office for Civil Rights (OCR) may impose monetary penalties of from $100 to $50,000 per violation, with an annual maximum of $25,000 per year for repeat violations. Penalties are higher for reasonable cause and willful neglect. PL 104-191 prescribed criminal penalties for certain actions such as knowingly obtain- ing protected health information in violation of the law. The Department of Justice handles criminal penalties, which are significantly higher than civil penalties, ranging from $50,000 and one year in prison up to $250,000 and 10 years in prison if the offenses are committed with the intent to sell, transfer, or use PHI for commercial advantage, personal gain, or mali- cious harm. This rule ensures protections for clients by limiting the way covered entities can use personal medical information. The regulations protect medical records and other individu- ally identifiable health information (identifiers), whether the information is transmitted in electronic, written, or verbal format. This then would include faxes, email, online databases, voicemail, and video recordings, as well as conversations among practitioners. Examples of identifiable health information include: • Name or address—including city, state, and zip code • Social Security number • Dates related to birth, death, admission, discharge • Telephone and fax numbers • Email or URL addresses • Medical record numbers, account numbers, health plan beneficiary numbers • Vehicle identifiers such as driver’s license numbers and license plate numbers • Full-face photographs distributed by the agency • Any other unique identifier, code, or characteristic used to identify clients that is protected under HIPAA
41
EliteLearning.com/Psychology
Powered by FlippingBook