The passing of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is informed by the need to protect the massively growing patient information and improve health care service delivery. HIPAA provides key critical regulations aimed at protecting the privacy and security of patient health information. Through the U.S. Department of Health and Human Services (HHS), HIPAA outlines the Privacy Rule and the Security as the primary components in which electronically protected health information (e-PHI) is created, received, transmitted, and maintained. Therefore, HIPAA stipulates the minimum national standards applied in the protection of health information and its transfer through an electronic medium.
Protected Health Information and When It Can Be Disclosed
Under the HIPAA Privacy Rule, health information that is individually identifiable is covered as protected health information (PHI). The HIPAA Security Rule covers electronic protected health information (e-PHI). The application of the Security Rule does not apply to PHI that is transmitted in writing or through oral means. The Security Rule strictly applies to electronically transmitted protected health information (Edemekong, Annamaraju & Havdel, 2020). HIPAA emphasizes on the limiting of protected health information on the basis of “need to know” and only offered to authorized persons. Individually identifiable PHI comprises information such as name, telephone number, street address, email address, social security number, gender, diagnoses, financial status, and payment of health services, among others that are constituted as personal information (Harman, Flite & Bond, 2012).
The protection of data under the specifications of HIPAA falls in the category of written, spoken, paper, or electronic form. That is, data protected by bother Privacy and Security Rule. Health information that is transmitted within or outside the health care facility needs to be effectively protected from numerous threats exerted on it especially electronically. The size of the health information or data does not matter in emphasizing the need to protect it from malicious use, access, and transmission.
As stipulated in the right to access clause, HIPAA requires all medical and health care practitioners to make PHI data available to affected individuals whenever necessary following the request of the information. This emphasizes the need to give access with 30 days from the time of request by an individual. Further, the HIPAA rules note that individuals have the right to be provided with all the health-related information (Marting, 2018). This is in the exception of psychotherapy notes gathered by a provider that can be used in lawsuit proceedings. The access of information can be made both electronically or through written form upon request. The individual can request the information through encrypted or unencrypted media, email, direct messaging, or other forms (Yaraghi & Gopal, 2018). However, health care organizations are limited to disclose information of un-identified persons such as missing persons, involved in an airplane crash, among other incidents.
A variety of PHI and e-PHI information can be exempted from confidentiality protection allowing a breach of information without prior permission from the individuals. Such information is often disclosed to law enforcement agencies in pursuit of justice and criminal investigation procedures (Edemekong et al., 2020). The information includes gunshot wounds, injuries sustained in a crime, stab wound, child/elderly abuse, gender-based violence analysis report, and infectious, communicable, and/or reportable diseases.
Privacy Rule Vs. Security Rule as Applied to Actual Use in the Laboratory
The HIPAA Privacy Rule located at 45 CFR Part 160 and Subparts A and E of Part 164 provides the national standards applied in the protection of an individual’s medical records. This includes personal health information that is applied in health plans, health care provision, and health care clearinghouses. The HIPAA Privacy Rule emphasizes the need to follow strictly all the safeguard measures geared towards the protection of PHI (Harman et al., 2012). Such rules comprise the use of secure electronic devices, physical safeguards, and protection of health information systems both hardware and software, regular risk assessment, password protection, among others. The application of the Privacy Rule sets the limits for use and disclosure of health information both with and without the permission or authorization of the patient as discussed above (Edemekong et al., 2020). Furthermore, patients have the right to access, review, and make corrections on the health information report.
On the other hand, the HIPAA Security Rule located at 45 CFR Part 160 and Subparts A and C of Part 164 outline the national standards designed to protect individual’s electronic personal health information (e-PHI). That is, information that is created, used, received, transmitted, and maintained electronically by a covered health care entity. The primary objective of the HIPAA Security Rule entails the assurance of confidentiality, integrity, and security of all e-PHI (Yaraghi & Gopal, 2018). Therefore, to enhance the safeguards on information protection, Security Rule provides administrative safeguards that offer guidelines on administrative policies, actions, and procedures followed in preventing, detecting, containing, and correcting security violations. Also, physical safeguards that prevent unauthorized access and protection of data. Organizational standards outline the safeguards for the transfer of information to third parties.
The use of systems such as Computerized Physician Order Entry (CPOE) is used in the handling of electronic health records (EHR) covering features such as pharmacy, radiology, and laboratory services. The laboratory operators are bound by both HIPAA Privacy Rule and Security Rule in handling the CPOE information in the EHRs. This is applied in determining the nature of information and to whom it should be discussed (Marting, 2018). The health care organization policies and regulations in compliance with HIPAA standards stipulate the aspects whereby information disclosure should be executed and exceptions applied. For instance, following the directives of the head of the department in the health care organization, court order, and individual’s request and authorization. The laboratory results ought to be treated always as confidential – thereby, high emphasis on maintaining the integrity and authenticity of the information.
Identifiable and Unidentifiable Information – Uses
The identifiable health information covers individuals that are known, recognized, and identified by the health care organization. That is, comprise of known individuals who provide their personal information include name, physical address, contact information, next of kin, age, past health history, among others (Edemekong et al., 2020). The use of identifiable health information is subject to an individual’s request and authorization. Thus, the affected individual is informed and required to give consent on the use of their PHI. The unidentifiable information comprises information unknown patients in the hands of the healthcare facility. Such may include missing persons, individuals involved in a plane crash, road accident, among other tragedies often treated as ‘John Doe’ and ‘Jane Doe’ for male and female genders respectively (Harman et al., 2012). The use of unidentifiable is limited by the law as stipulated by the HIPAA regulations.