:: About HIPAA
Notice of
Privacy Practices
Background and General Information
(taken from
U.S. Department of
Health & Human Services)
The privacy provisions of the federal law, the Health Insurance
Portability and Accountability Act of 1996 (HIPAA), apply to
health information created or maintained by health care
providers who engage in certain electronic transactions, health
plans, and health care clearinghouses. The Department of Health
and Human Services (HHS) has issued the regulation "Standards
for Privacy of Individually Identifiable Health Information,"
applicable to entities covered by HIPAA. The Office for Civil
Rights (OCR) is the Departmental component responsible for
implementing and enforcing the privacy regulation. (See the
Statement of Delegation of Authority to the Office for Civil
Rights, as published in the Federal Register on December 28,
2000).
For the average health care provider or health
plan, the Privacy Rule requires activities, such as:
- Notifying patients about their privacy rights and how
their information can be used.
- Adopting and implementing privacy procedures for its
practice, hospital, or plan.
- Training employees so that they understand the privacy
procedures.
- Designating an individual to be responsible for seeing
that the privacy procedures are adopted and followed.
- Securing patient records containing individually
identifiable health information so that they are not readily
available to those who do not need them.
Responsible health care providers and businesses already
take many of the kinds of steps required by the Rule to
protect patients' privacy. Covered entities of all types and
sizes are required to comply with the Privacy Rule. To ease
the burden of complying with the new requirements, the
Privacy Rule gives needed flexibility for providers and
plans to create their own privacy procedures, tailored to
fit their size and needs. The scalability of the Rule
provides a more efficient and appropriate means of
safeguarding protected health information than would any
single standard. For example,
- The privacy official at a small physician practice may
be the office manager, who will have other non-privacy
related duties; the privacy official at a large health plan
may be a full-time position, and may have the regular
support and advice of a privacy staff or board.
- The training requirement may be satisfied by a small
physician practice's providing each new member of the
workforce with a copy of its privacy policies and
documenting that new members have reviewed the policies;
whereas a large health plan may provide training through
live instruction, video presentations, or interactive
software programs.
- The policies and procedures of small providers may be
more limited under the Rule than those of a large hospital
or health plan, based on the volume of health information
maintained and the number of interactions with those within
and outside of the health care system.
|
