HIPAA’s Purpose in Improving Healthcare Essay
HIPAA’s Purpose in Improving Healthcare Essay
The Health Information Portability and Accountability Act (HIPAA) is an act that was passed in 1996 and enacted in 2003. It was established to improve on several aspects in healthcare, including the portability and continuity of health insurance coverage, as well as implementing national standards that ensure a patient’s security and privacy are protected. The HIPAA Law has several intentions which include; improving portability and the continuation of health insurance coverage when switching jobs or moving, combatting waste, fraud and abuse in health insurance and healthcare delivery, promoting the use of medical savings accounts, improving access to long term medical care and lastly, to simplify the administration of health insurance.HIPAA’s Purpose in Improving Healthcare Essay
ORDER HERE A PLAGIARISM-FREE PAPER HERE
One of the main focuses of HIPAA is to simplify healthcare data exchange. In order to do this HIPAA has established Uniform Identifier Standards that were enacted in October 2003, to be used on all claims and data transmissions. They create a uniform way to designate an employer, provider, health plan or patient in electronic transactions. HIPAAs Uniform Identifiers are as follows; National Provider Identifier, which ensure all doctors, nurses and other healthcare providers (hospitals / clinics) have one number they use that is specific to them. This ensures accuracy with data transmission. Another Uniform Identifier is the Employer Identifier, which is used to identify when insurance is employer sponsored. This number happens to be the same as the Employer Identification Number which is assigned by the Internal Revenue Service (IRS). The final identifier is called the National Health Plan Identifier, this assigns a unique identification number to each insurance plan HIPAA’s Purpose in Improving Healthcare Essay
The Health Insurance Portability and Accountability Act (HIPAA) is a landmark piece of legislation, but why is HIPAA important? What changes did HIPAA introduce and what are the benefits to the healthcare industry and patients?
HIPAA was introduced in 1996, primarily to address one particular issue: Insurance coverage for individuals that are between jobs. Without HIPAA, employees faced a loss of insurance coverage when they were between jobs.
A second goal of HIPAA was to prevent healthcare fraud and ensure that all ‘protected health information’ was appropriately secured and to restrict access to health data to authorized individuals.HIPAA’s Purpose in Improving Healthcare Essay
Why is HIPAA Important for Healthcare Organizations?
HIPAA introduced a number of important benefits for the healthcare industry to help with the transition from paper records to electronic copies of health information. HIPAA has helped to streamline administrative healthcare functions, improve efficiency in the healthcare industry, and ensure protected health information is shared securely.
The standards for recording health data and electronic transactions ensures everyone is singing from the same hymn sheet. Since all HIPAA-covered entities must use the same code sets and nationally recognized identifiers, this helps enormously with the transfer of electronic health information between healthcare providers, health plans, and other entities.HIPAA’s Purpose in Improving Healthcare Essay
Why is HIPAA Important for Patients?
Arguably, the greatest benefits of HIPAA are for patients. HIPAA is important because it ensures healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities must implement multiple safeguards to protect sensitive personal and health information.
While no healthcare organization wants to expose sensitive data or have health information stolen, without HIPAA there would be no requirement for healthcare organizations to safeguard data – and no repercussions if they failed to do so.HIPAA’s Purpose in Improving Healthcare Essay
HIPAA established rules that require healthcare organizations to control who has access to health data, restricting who can view health information and who that information can be shared with. HIPAA helps to ensure that any information disclosed to healthcare providers and health plans, or information that is created by them, transmitted, or stored by them, is subject to strict security controls. Patients are also given control over who their information is released to and who it is shared with.
HIPAA is important for patients who want to take a more active role in their healthcare and want to obtain copies of their health information. Even with great care, healthcare organizations can make mistakes when recording health information. If patients are able to obtain copies, they can check for errors and ensure mistakes are corrected.HIPAA’s Purpose in Improving Healthcare Essay
Obtaining copies of health information also helps patients when they seek treatment from new healthcare providers – information can be passed on, tests do not need to be repeated, and new healthcare providers have the entire health history of a patient to inform their decisions. Prior to the Introduction of the HIPAA Privacy Rule, there was no requirements for healthcare organizations to release copies of patients’ health information.
Introduction Today, you have more reasons to care about the privacy of your medical information. This information was once kept on a keyed file cabinet in the medical records department or in a dusty shelf. Your doctor was the only administrator of your physical and mental health information. Using today’s electronic medical record software, the information being confidentially discussed with your doctor is recorded in the electronic data file. Obvious problems – hundreds of strangers working in healthcare, insurance, and healthcare related businesses may see your records.HIPAA’s Purpose in Improving Healthcare Essay
The HIPAA privacy policy relates to the use and disclosure of personal health information known as Protected Health Information (PHI). Such types of organizations are called “target entities”. Privacy rules HIPAA requires an overview of the insured’s privacy in order to understand and manage how the insured’s health information is used. HHS and the Civil Rights Bureau (OCR) are responsible for enforcing and enforcing HIPAA privacy rules in compliance activities and civil penalties. The HIPAA privacy policy aims to protect personal health information appropriately, protect health information that individuals need to provide, and promote high-quality health management. The HIPAA privacy rules enable the use of important information while protecting the privacy of those seeking medical care
Many people tend to think that HIPAA privacy rules are complicated and complicated administrative fine networks, so introducing the HIPAA privacy rules nationwide will become loopholes for national finances. This is totally wrong. Conversely, over the years, the implementation cost of HIPAA privacy rules has been drastically reduced, and in the long run it can save billions of dollars in transactions and other administrative tasks.HIPAA’s Purpose in Improving Healthcare Essay
HIPAA ‘s privacy rules apply to organizations that are considered organizations covered by HIPAA, such as medical planning, medical institutions, healthcare providers. In addition, the HIPAA privacy regulations require that in cooperation with HIPAA business partners contract to impose specific protection measures on the PHIs used or disclosed by their business partners. The HIPAA Privacy Rules protect all personal information that can be identified or transmitted by or transmitted by the target entity or business partner. This information can be stored in any format including digital, paper, or verbal information. According to the Personal Information Protection Act, this individually identifiable health information is also called PHI.HIPAA’s Purpose in Improving Healthcare Essay
By Mary Butler
A Beverly Hills plastic surgeon, let’s call him Dr. Hollywood, has a thriving business—an impeccable office, gracious and welcoming staff, and top of the line equipment and devices. His clientele is primarily celebrities and other wealthy socialites who can afford to pay out of pocket for cosmetic services, so Dr. Hollywood doesn’t accept insurance. Occasionally, Dr. Hollywood gives interviews to celebrity magazines and talk shows commenting on specific patients of his and the work they’ve had done—naming names and discussing details.
Is this behavior unethical? Perhaps. Opportunistic? Definitely. But is it a HIPAA violation? No. HIPAA privacy rules only apply to covered entities, and strictly speaking, covered entities are considered as such because they exchange electronic information with health plans. So because Dr. Hollywood doesn’t accept insurance, he is not a covered entity according to HIPAA. That said, his shady disclosures do put him in violation of California’s stricter health privacy laws—and it is illogical gaps like these between state and federal law that have people questioning whether HIPAA needs an update.HIPAA’s Purpose in Improving Healthcare Essay
Attorney Adam Greene, JD, a partner at the Washington, DC law firm Davis Wright Tremaine, says the plastic surgeon scenario is a classic example of the ways in which the public at large misunderstands the purpose of the 1996 HIPAA legislation and what it covers. And, he says, it’s an example that even surprises people who’ve been working with HIPAA for years.
HIPAA is widely understood as a healthcare privacy law, but as Greene points out, the “P” in HIPAA doesn’t stand for “privacy.” The Health Insurance Portability and Accountability Act (HIPAA) was intended to make it easier for healthcare providers to transmit healthcare claims to health plans and clearinghouses using common standards. When HIPAA was being written, Congress took the position that if the law was going to facilitate greater electronic sharing of health information, there should be better privacy and security requirements that go with it.
“If you were drafting a health information privacy law it would likely be very different,” Greene says. He adds that many privacy protections were added later through rulemaking, and that state privacy regulations followed to try and fill gaps.HIPAA’s Purpose in Improving Healthcare Essay
HIPAA came of age at the same time as the Internet—though policymakers couldn’t have foreseen how much the two developments would grow to impact each other. The Internet, of course, is the engine that has many in the industry pushing for more updates to HIPAA. Mobile health devices such as the FitBit, electronic health records (EHRs), telehealth services, social media, and other wearable health trackers have taken on a life of their own, outpacing privacy regulations—even with the HITECH update to HIPAA in 2009 and the Omnibus Rule changes in 2013—creating recent gaps in national privacy and security law. Some see this as a gap in HIPAA that should be filled.
Though it is over 20 years old, it appears HIPAA is still not completely understood by patients and providers. In 2016 the Office of the National Coordinator for Health IT (ONC) released a series of blog posts and fact sheets aimed at clarifying just what rights of information exchange and protection HIPAA grants patients and providers—in part to better foster the exchange of information that can become log-jammed over a misunderstanding of HIPAA’s rules.HIPAA’s Purpose in Improving Healthcare Essay
To determine whether HIPAA needs to be replaced or merely updated, it’s important to hear from the privacy officers who work with its policies every day, current and former federal officials, and legal experts who work through patient issues and assist providers. Not all are in agreement that HIPAA is out of date. Some think it is still relevant and does a relatively good job of protecting privacy and security. Others think it should be scrapped and replaced with more modern and thorough regulation. All those interviewed for this article, however, agreed that at least some modifications and updates are called for.
Some Say Supplement HIPAA, Don’t Replace It
It’s tempting to believe that documents written before significant technological and scientific advances are automatically antiquated. Although people will likely debate key portions of the US Constitution forever, even skeptics agree that its core tenets have held up over time and served the country well. Similar consensus exists around HIPAA.HIPAA’s Purpose in Improving Healthcare Essay
Greene, who counsels companies on HIPAA and HITECH compliance, says that HIPAA has also held up fairly well. And while technology has outpaced some of its provisions, HIPAA doesn’t need to be altered to fill those gaps, Greene says, suggesting instead that other, newer privacy laws be created. “I think there’s a danger in trying to extend HIPAA to other types of entities. HIPAA was designed very much with healthcare providers and health plans in mind. So just throwing a mobile app, a consumer-focused mobile app, into HIPAA is not necessarily the best fit,” Green says.HIPAA’s Purpose in Improving Healthcare Essay
Privacy officers interviewed for this article agree. Elisa Gorton, RHIA, CHPS, MAHSM, director of corporate responsibility, privacy officer, at St. Vincent’s Medical Center in Connecticut, doesn’t think the law needs to be broken down and rebuilt to become more relevant since its overall intention is very good. Gorton also thinks the Office for Civil Rights (OCR) does a good job with enforcing HIPAA. But, “It could probably be refreshed, because now you have telehealth going on and more patient portals, and more interactive types of care and communication done electronically. Patients want information texted to them… and we do have patients that want things e-mailed directly to them, and they don’t want it encrypted or sent securely,” Gorton says.
HIPAA Enforcement and Compliance is a Work in Progress
At a time when health information breaches are reaching an all-time high, HIPAA audits by the Office for Civil Rights (OCR) have continued in an attempt to make sure providers are following current privacy and security rules. According to Rachel Seeger, a spokesperson for OCR, Deven McGraw, deputy director for health information privacy at OCR, worked with a team of 18 people over this past year. This group was responsible for the HIPAA Privacy and Security Rule policy, overall enforcement monitoring, case reconsiderations, and more. They’ve been working with a budget projected to be $38.8 million, Seeger says.HIPAA’s Purpose in Improving Healthcare Essay
“OCR has resolved over 24,825 HIPAA cases through corrective action and/or technical assistance since the agency began enforcing the Rules in 2003,” Seeger said in an e-mail to the Journal. From September 2009 through January 31, 2017, OCR has received approximately 1,825 reports involving breaches of protected health information (PHI) affecting 500 or more individuals—with a total of 171,390,576 individuals impacted by these incidents. OCR has received approximately 255,560 reports of breaches of PHI affecting fewer than 500 individuals, according to Seeger.
That staff was certainly busy in 2016, a devastating year for HIPAA breaches. Over 25 million records were compromised as of October 2016 alone, according to Fierce Healthcare.1 Such staggering numbers have some questioning the effectiveness of OCR’s audits and the PHI protections required in HIPAA.HIPAA’s Purpose in Improving Healthcare Essay
While privacy and security breaches seem to be getting worse, some have defended OCR’s efforts to combat incidents. Increased enforcement in the recent year—long awaited OCR “desk audits” started in 2016—have been praised.
Regarding these desk audits, attorney Adam Greene, JD, admits, “Nothing is ever quite enough to ensure all the providers are going to follow up… the audit program has definitely had a substantial impact in pushing more covered entities and business associates to prioritize HIPAA compliance, and admittedly everyone’s got limited resources…,” Greene says. “The alternative is more of a traffic ticket mentality and penalizing everyone that is found to have violated HIPAA, but I prefer the current approach.”
Kelly McLendon, RHIA, CHPS, managing director at CompliancePro Solutions, says that even the small number of desk audits do a good job of “sowing a little bit of fear, certainty, and doubt that ‘Hey, I could get audited—I’d better be compliant,’” he says.HIPAA’s Purpose in Improving Healthcare Essay
McLendon admits that with thousands of covered entities and business associates eligible to be audited, the chances for the average organization to be one of the 150 chosen by OCR is “microscopic.” But that doesn’t mean organizations shouldn’t be prepared anyway. “Being prepared for the audit is also being prepared for an investigation, which could come at any time, based on a patient making a complaint… You’re at risk even if your risk of audit is very small. Your risk of having to produce all that information [for an audit or investigation] is not all that small,” McLendon says.
Nancy Davis, MS, RHIA, CHPS, director of compliance and safety at Door County Medical Center, admits that while technology is always changing, the philosophy that drives HIPAA is “fairly sound.” However, she would welcome “more clarification on patient portals.” Davis also says, “HIPAA does tend to defer to state law when it comes to minors. So that’s always a challenge.”HIPAA’s Purpose in Improving Healthcare Essay
And it does appear that regulators are hearing industry calls for HIPAA updates. In remarks delivered at the HIMSS Annual Meeting in February, Deven McGraw, JD, MPH, deputy director for health information privacy at OCR, said her agency is expecting to release a draft rule on privacy breaches by the end of 2017. McGraw noted that HITECH requires the Department of Health and Human Services (HHS) to devise avenues for compensating individuals whose healthcare privacy has been breached—and that may happen soon.
“What qualifies as harm when there has been a violation of privacy and security rules? How do we determine a violation has occurred when the case is settled and there is no finding of fault?… We’ll be issuing that [proposed rule] hopefully in 2017,” McGraw said, according to a report in Medpage HIPAA’s Purpose in Improving Healthcare Essay
Additionally, OCR will issue guidance on topics such as text messaging—including when and how it’s appropriate to send text messages containing PHI using unsecured texting platforms. The guidance will also speak to permitted uses and disclosures of PHI on social media platforms—another update some in the industry have said is needed to bring HIPAA into the 21st century.
McGraw also said OCR is working on guidance she’s termed “Anatomy of a Case,” which “walks through a typical case we do in HIPAA and how we calculate penalties, and the basic criteria we use to come to settlement amounts,” said McGraw, according to Medpage.
Gaps Between State and Federal Privacy Laws
State laws around protected health information (PHI) often are much more stringent than federal law—since HIPAA is often called the floor of privacy protections, not the ceiling—and it’s the privacy officer’s job to be familiar with both. Some in the industry have called on replacing HIPAA with an updated, overarching, national privacy and security law governing all PHI that would serve as the regulation ceiling. Davis admits that having to consult one overriding privacy law instead of several would make life easier.HIPAA’s Purpose in Improving Healthcare Essay
“I would relish one set of laws. In a perfect world, HIPAA would be the end-all—no separate set of rules for minors or mental health. The three biggest areas that I struggle with are law enforcement, minors, and reporting drug diversion,” Davis says.
“In Wisconsin, the laws to protect patient privacy are stronger than HIPAA when it comes to reporting and sharing information with law enforcement. We always hear from law enforcement, ‘HIPAA says we can do this.’ And I say ‘That’s true HIPAA does, but it’s your Wisconsin law I’m following.’ So yeah, it would be nice to have one set of laws, but I don’t see that happening because there are a lot of political issues” at play, Davis says.
But privacy and security consultant Joy Pritts, JD, the former chief privacy officer at ONC, looks at the discrepancy between state and federal law differently. She feels stricter state law helped improve HIPAA over the years, leading to HIPAA updates in 2003 and 2009 that added privacy and security protections first modeled at the state level.HIPAA’s Purpose in Improving Healthcare Essay
“I have a philosophical perspective on that, based on years of watching how laws develop in the United States, and I really do believe that if you didn’t allow the states to do something in this area, we wouldn’t be where we are today. We would not have breach notification in HIPAA if states had not started breach notifications—California in particular. I’m not in favor of federal preemption of state law because that’s where a lot of the good ideas originate,” Pritts says.
Stakeholders are worried about gaps in HIPAA falling short of protecting consumer data as patients access PHI through mobile health and patient portals. The government has also expressed concern. Last year ONC addressed these concerns with a report called “Examining Oversight of the Privacy & Security of Health Data Collected by Entities Not Regulated by HIPAA.”3 The report analyzed the current scope of HIPAA; identified gaps that exist between HIPAA-regulated entities and those not regulated by HIPAA; and makes recommendations for leveling the playing field for innovators that are covered entities and non-covered entities (NCEs). It also assessed the role of the Federal Trade Commission (FTC) in protecting health data.HIPAA’s Purpose in Improving Healthcare Essay
The paper stated that HHS has committed to providing more guidance for providers of technologies offered by NCEs, as well as for entities that are unsure whether they are covered by HIPAA.
The paper ultimately concluded that “large gaps in policies around access, security, and privacy continue, and confusion persists among both consumers and innovators. Wearable fitness trackers, health social media, and mobile health apps are premised on the idea of consumer engagement. However, our laws and regulations have not kept pace with these new technologies. This Report identifies the lack of clear guidance around consumer access to, and privacy and security of, health information collected, shared, and used by NCEs,” the report concluded.
How to Make HIPAA Work Better
While there is consensus that HIPAA and its updates have held up over time, there are a diverse set of ideas various stakeholders have for tweaking it or pushing for privacy protections in other places.HIPAA’s Purpose in Improving Healthcare Essay
Pritts says that in an ideal world, all organizations—from HIPAA-covered entities to app developers—that handle health information would have codes of conduct that would be enforceable by the FTC. Pritts thinks that HIPAA is very prescriptive in that it covers a segment of organizations that handle health information in a certain way while not covering others—like Dr. Hollywood.
“And outside of that context, we have hardly any protection. What I see as being an issue is there’s such a difference between HIPAA and the Federal Trade Commission Act,” Pritts says.
For example, according to the ONC report, the “FTC and HHS each have broad experience in protecting consumers against privacy and security risks to health data to the extent of their existing statutory authorities… FTC has a well-developed body of law enforcing privacy and security practices that are unfair and deceptive, including taking action against an organization that adopts a code of conduct, but does not adhere to that code. HHS’ experience includes well-established regulations about health data privacy and security, as well as in-depth knowledge of the ways that very sensitive data moves (and will move in the future) among FDA-regulated devices, EHRs, mHealth apps connecting into medical environments, and the emerging connectivity among them in health care delivery settings. As this Report shows, however, large gaps in policies around access, security, and privacy continue, and confusion persists among both consumers and innovators.”HIPAA’s Purpose in Improving Healthcare Essay
“It’s not just a question of does HIPAA need to be fixed or improved, it’s whether regulatory structure needs to be improved,” Pritts says. “That’s what I would focus on personally and in doing that I would make it a little more uniform between the kinds of sensitive information that’s covered by HIPAA and what’s covered by the FTC.”
Pritts says she would like one “overarching privacy rule that would go a long way in the US toward evening out the discrepancies between health information and other types of information,” though she also admitted that the practical political realities render that somewhat unrealistic. However, she says work on privacy will continue. “We’re never going to be done in this area. It’s evolving constantly and we do need to keep up with the way data is generated and exchanged,” she says.HIPAA’s Purpose in Improving Healthcare Essay
One problem that persists with HIPAA is that the technical and legal language can be hard for consumers and professionals to interpret. AHIMA’s Privacy and Security Practice Council is working to improve patient understanding by developing a form to accompany the Notice of Privacy Practices (NPP) form that patients fill out for their doctors. This form, meant to explain to consumers how an organization protects their privacy, is often very complex—and has been ridiculed by some consumer advocates as unreadable and unhelpful to consumers.
“That is an area where I think we could step back and try to do better, which is not only educating providers but also simplifying some of their requirements. That’s especially important when you’re looking at how people access their health information now,” Pritts says. “Many have moved to mobile devices, iPads, and tablets. Having a very long NPP that’s not in a paper format doesn’t really work. An authorization that is very, very long doesn’t really work either.”
Lucia Savage, JD, who most recently served in the Obama Administration as ONC’s chief privacy officer, worked on the ONC blog series and fact sheets that attempted to clear up some of the consumer and provider confusion about HIPAA.HIPAA’s Purpose in Improving Healthcare Essay
One of the biggest challenges of modernizing HIPAA is that consumers are ready to “go mobile” in the delivery and receipt of their health information but many providers still are not, Savage says. Even with the guidance ONC and OCR have released, patients are too frequently told that they can’t have their own health information or get it exchanged with other providers. One reason for this is that there are many moving parts.
“We’ve done a really excellent job of raising the awareness of the importance of privacy among healthcare professionals and office managers, a really excellent job. But in this particular case, we maybe overcorrected,” Savage says. “We need to swing the pendulum back a little bit. For a patient to be told ‘I can’t give you information about you,’ it just doesn’t hold up to scrutiny. And that’s different than you saying as a professional ‘I don’t have authorization to send this to your husband’s divorce attorney so I’m not going to,’ which is completely legit.”HIPAA’s Purpose in Improving Healthcare Essay
Pritts and Savage agree that providers need more training and education around the release of information through patient portals. “I think that providers do need more information. There’s been a big push for consumers to have more access to their own information and patient-generated data. From my interactions with major healthcare systems, even they are not familiar with the [Omnibus] rule that came out in 2013 that said individuals have the right to designate a third party to receive their information under a right of access request,” Pritts says.
Improved patient access to their own information—as well as information exchanged between providers—may be best achieved outside of HIPAA or new regulations. Private industry—some with the help of government grants and some without—are making great strides in secure information release.
For example, last fall ONC announced the winners of its “blockchain challenge,” which required participants to explain how blockchain technology could enable interoperability. Blockchain is a technology that was first used to protect Bitcoin currency transactions, but interoperability experts believe it’s also a promising way to exchange sensitive health information in a private and secure way. Software developers are also using application programming interfaces (APIs) to develop tools that make patient information stored in EHRs more readily available to patients.HIPAA’s Purpose in Improving Healthcare Essay
Pritts currently sits on the board of advisors for a company that’s working on ways to make information, like PHI, easier to send securely.
“They [the company] are enabling granular control of information in a way where you don’t have to be concerned whether state A has one law or state D has another law,” says Pritts, alluding to discrepancies in state privacy laws.
One way to improve security without touching HIPAA or issuing a regulation could be by letting innovators innovate. “I think, to me, the best course is to really have competition for the best in class and let the consumer pick what’s right for them,” Savage says. HIPAA’s Purpose in Improving Healthcare Essay
