Advertisement
Privacy, Security, and Confidentiality
Ensuring the privacy, security, and confidentiality of personal health information has been a fundamental principle for the health information management (HIM) profession throughout its 80-year history. Today, HIM professionals continue to face the challenge of maintaining the privacy and security of patient information, an effort that grows in complexity as information becomes more and more distributed in electronic systems. The challenge of this responsibility has also increased due to the constantly changing legislative and regulatory environment.
Regulations have impacted privacy and security:
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
- The American Recovery and Reinvestment Act of 2009 (ARRA)
- Modifications to the HIPAA Privacy, Security, and Enforcement Rules the Health Information Technology for Economic and Clinical Health Act; Final Rule
The Privacy Rule
Set the floor in the necessary safeguards to be implemented in protected health information (PHI) across all media
- protects individuals’ medical records and other individually identifiable health information created or received by or on behalf of covered entities
- protects individuals’ health information by regulating the circumstances under which covered entities may use and disclose protected health information and by requiring covered entities to have safeguards in place to protect the privacy of the information
- covered entities are required to have contracts or other arrangements in place with business associates that perform functions for or provide services to the covered entity
- and that require access to protected health information to ensure that these business associates likewise protect the privacy of the health information
- gives individuals rights with respect to their protected health information, including rights to examine and obtain a copy of their health records and to request corrections
The Security Rule
Applies only to protected health information in electronic form
- requires covered entities to implement certain administrative, physical, and technical safeguards to protect this electronic information
- covered entities have contracts in place with their business associates that the business associates will appropriately safeguard the electronic protected health information they receive, create, maintain, or transmit on behalf of the covered entities
Final HITECH Omnibus Rule:
Strengthens privacy and security protections through
Extending compliance with HIPAA to business associates and their subcontractors
Establishing new limitations on the use and disclosure of protected health information for marketing and fundraising purposes
Prohibiting the sale of protected health information without appropriate authorization
Expanding individual rights to access of their protected health information electronically
Expanding individual's rights to receive an accounting of disclosures of their protected health information
- Providing easier access of immunization records from a covered entity to a school
- Removing HIPAA Privacy protections for PHI of an individual deceased more than 50 years
- Prohibiting the use of genetic information for underwriting purposes
- Finalizing breach notification requirements
Expanding individual's rights to obtain restrictions on certain disclosures of protected health information to health plans
AHIMA has multiple resources related to privacy, security, and confidentiality. Aspects of compliance with HIPAA privacy and security rules are imbedded throughout these resources: