HIPAA refers to a federal statute, the Health Insurance Portability and Accountability Act, passed by Congress in 1996. Prior to the enactment of HIPAA and its Privacy Rule, confidentiality of health care information was protected by a patchwork of state statutes; the common law right to privacy, enforced by tort actions for invasion of privacy; and the ethical requirements of confidentiality assumed by all health care professionals, violations of which could lead to discipline imposed by state licensing boards. However, there were numerous and recurring reports of confidentiality breaches (Aiken, 2002).
HIPAA confidentiality and compliance
The principal goal of HIPAA was, to allow portability of health insurance. It aims to permit employees to take their health coverage with them when they change employers. The law contained several other provisions related to health care, however, the most notable being one related to privacy of health information (Aiken, 2002).
During the development of the HIPAA legislation, congressional hearings were held, and extensive comment was received by Congress on the subject of privacy of patient care information. In the hearings, individuals testified about problems they had experienced when information about their health status or medical treatment was shared without their authorization. Concern was focused on electronic transmission of health information and the use of fax, cellular telephones, e-mail, Internet communications, and database management.
HIPAA authorized the Department of Human Services to enact, though its rule-making authority, detailed standards and requirements to protect the privacy. The Privacy Rule went into effect on April 14, 2003. This rule created a minimum national threshold for privacy standards aimed at protecting information and avoiding unacceptable dissemination of protected health information. The Privacy Rule applies to three types of entities—health care providers, health plan (insurers), and health care clearinghouses (such as billing services) if they meet the following criterion: They must transmit protecting health information in electronic form. Health care provider is defined in one section of the rule by place of service, such as a hospital, skilled care facility, outpatient clinic, home health agency, or hospice. In another section of the rule, health care provider is defined by the nature of the provider. Under the Privacy Rule, health care providers have a number of responsibilities to perform and document. If the requirements are violated, the health care provider can be subject to civil and criminal penalties (Armstrong, 2005).
Rights of Recipients of Care and Their Families
Under the Privacy Rule, the care recipients have a number of rights that can be exercised by them or on their behalf by an authorized representative. These rights include the right to be assured that the personal health information will be treated in a confidential manner and disclosed only when necessary, the right to authorize release of information, and the right to restrict uses and disclosures of information. It is important to note that use refers to revealing information within an institution among health care professionals and disclosure refers to making information available to an entity outside the institution or for a purpose unrelated to care; consequently, ...