HIPAA

Posted on January 12, 2008 by Georgia

aslepius.jpeg

For most nurses, HIPAA is synonymous with patient privacy. On day 1 of nursing school, we learn not to share identifying information (name, age, address, social security, etc), not to talk about our patients in the hospital elevator (there are a number of reasons not to do that), and not to leave a patient’s chart lying on the counter. So when I started writing about the hospital – and especially about patients – I needed to figure out the rules.

What is HIPPA?

The Health Insurance Portability and Accountability Act (HIPAA) is not just a “patient privacy act.” Remember, the “P” stand for ‘Portability’ and not ‘Privacy.’ HIPAA, signed into law in 1996, deals with two primary issues: Access, Portability, and Renewability (Title I) and Administrative Simplification (Title II). Under the umbrella term of Administrative Simplification, you can find the Privacy Act that tells you all you need to know about protecting your patients identity.

Are you sure “P” doesn’t stand for Privacy?

In oversimplified terms: Portability aims to ensure that individuals can move between health care plans (for example, if they change employers) without losing all of their current benefits. Meyer and Stepnick (2002) explain that, “At a bare minimum, portability means having an option to keep some level of coverage at some price when leaving an employer-sponsored plan.” Apparently, before HIPAA, if you switched insurance plans, your new company could royally screw you over on your benefits.

So why can’t I talk about my patients in the elevator again?

elevator rules

The obvious reason? It’s awkward to talk in a crowded elevator. Another great reason not to? Your patient’s son may be standing right there as you exclaim, “Oh, my God, my patient today, Mrs. X – remember her? That 86 year old woman? No? The one whose social security number is 123-45-6789? Right, THAT Mrs. X. Did you see her wound? Totally infected. And the smell! I almost passed out . . .”

I’ve witnessed a few elevator conversations that would make you cringe.

How about a great legal reason too? The Administrative Simplification provisions of HIPAA (Title II) require the Department of Health and Human Services (HHS) to establish national standards for electronic health care transactions. The obvious follow-up issue here: “If everything is electronic, streamlined and easy-to-access, then how do we keep patient information private?

The Privacy Rule, enacted in 2002, is what makes HIPAA famous; especially for nursing students. Read a summary of the Privacy Rule published by the U.S. Department of Health and Human Services here.

The Privacy Rule prohibits the sharing/disclosure of 18 patient identifiers covered under the category of Protected Health Information (PHI). Taken from the UCSF Human Research Protection Program: “PHI is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment.

These 18 identifiers are:

    1. Names

    2. All Geographic subdivisions smaller than a State

    3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90+

    4 – 16. Telephone numbers, Fax numbers, Electronic mail addresses, Social security, Medical record numbers, Health beneficiary numbers, Account numbers, Certificate/license numbers, Vehicle identifiers, Device identifiers, URL’s, IP addresses, Finger and voice prints (biometric identifiers)

    17. Full face photographs and any comparable images

    18. Any other unique identifying number, characteristic or code

How do you blog while still complying with HIPAA regulations?

The U.S. DHHS Summary of the Privacy Law states:

De-Identified Health Information. There are no restrictions on the use or
disclosure of de-identified health information. De-identified health information
neither identifies nor provides a reasonable basis to identify an individual. There are
two ways to de-identify information; either:
1) a formal determination by a qualified statistician; or
2) the removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is adequate only if the covered entity [the nurse or doctor, in this case] has no actual knowledge that the remaining information could be used to identify the individual

There is no published law or set of guidelines [yet] that specifically addresses medical/nursing blogs. There are a lot of them too, so I think that official statutes are not far behind. Some blogs are more compliant than others.

My very own Disclaimer

Doubtful that anyone has read this far, BUT, I would like to officially say:

  1. The contents of my stories are a hazy mix of fact and fiction.
  2. All information about actual or fictitious patients has been de-identified, to the best of my ability.
  3. All of the opinions expressed here are solely my own and do not represent . . . well . . . anyone else or any of their opinions.

Consider yourself HIPAA-warned.


This entry was posted in Nursing (RN) and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>