What every business needs to know about HIPAA: most healthcare organizations must comply with HIPAA's Privacy Rule by April 14, 2003--but do all organizations? Here's what businesses need to know.

• Author: Swartz, Nikki

"The Internet-fueled proliferation of data--and data availability--has created a paradox: Businesses demand the benefits of a technology-enabled world along with the relative anonymity, or privacy, that the pre-technology world provided. The government's response to that paradox is regulation that balances business' need for increasingly detailed data with the public's demand for privacy. The Graham-Leach-Bliley Act of 1999 set rules for the financial services industry, and ... HIPAA [Health Insurance Portability and Accountability Act] will do the same for health care."--Ben Worthen, CIO magazine

At the Core

This article

* examines HIPAA's Privacy Rule

* discusses who must comply with HIPAA

* explains what businesses should know about complying with HIPAA

Every day, U.S. businesses collect, use, and even sell individuals' personal information in almost any way they can. There are a few feeble ways for consumers to combat the unfettered use of their most intimate details, such as Social Security and phone numbers, address, marital status, and gender. For instance, the financial industry allows customers to sign and send back a form to opt-out of the practice. But consumers have to be informed, proactive, and serious. Individuals must sign, stamp, and return a form to each financial institution they do business with--and that means for each credit card they own, too.

Healthcare providers also collect, use, and maintain an overwhelming amount of personal information. Personal issues such as genetic history, sexuality, diet, family medical history, and environmental factors may be examined during the course of treating a patient's mental and physical health. But, unlike other U.S. industries, healthcare organizations will no longer be able to use individuals' personal information however they like.

In an effort to promote effective use of this information and to ensure its continued confidentiality and security, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996. HIPAA is the first federal law to address health privacy in a comprehensive way. It requires all "covered entities"--healthcare providers, plans, and clearinghouses--to protect individually identifiable health information. HIPAA provides for health insurance portability, standards for electronic transactions, and privacy and security protections for personal health information (PHI). PHI includes any information that relates to the physical or mental health of the individual, the provision of health care or payments for health care, and that can be used to identify an individual.

Organizations in the healthcare industry must pay careful attention to HIPAA, but they are not the only ones that collect and handle patients' PHI. All healthcare organizations have business associates with whom they share PHI for various reasons. So last August, after many well-publicized delays and revisions, the U.S. Department of Health and Human Services (HHS), recognizing the potential risks of exposing individuals' PHI, published the final rule for "standards for Privacy of Individually Identifiable Health Information." The Privacy Rule is intended to

* protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use of that information

* improve the quality of health care in the United States by restoring trust in the healthcare system among consumers, healthcare professionals, and the multitude of organizations and individuals committed to the delivery of care

* improve the efficiency and effectiveness of healthcare delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, organizations, and individuals

The HIPAA Privacy Rule covers all a patient's identifiable information or PHI that is transferred to or maintained by a healthcare provider, including e-mail, electronic, fax, paper, oral, and voice mail records, as well as phone conversations. HIPAA rules protect the information itself, not the record in which the information appears. In other words, information does not lose its protection simply because it is stored in or printed from a computer.

Most healthcare organizations must comply with the Privacy Rule by April 14, 2003, but considering the complexity of the HIPAA privacy regulation and the significant impact it will have on the way healthcare and other organizations do business, it will not be an easy task.

Who Must Comply?

The HIPAA Privacy Rule applies to health plans...