Most of us are familiar with HIPAA, the Health Insurance Portability and Accountability Act, because our doctor’s offices often have us sign an acknowledgement that we received a copy of the HIPAA law and prohibit unauthorized individuals from receiving our health information without our permission. But, many people do not know the origin of the law and how it really affects them.
The HIPAA Act of 1996 set national standards for the protection of certain health information; often termed “PHI”, which stands for protected health information. The HIPAA rule went into affect in Maryland in 2003. According to the U.S. Department of Health & Human Services, a major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being. The Act identified covered entities and then further defined these entities. Generally, Health Plans, Health Care Providers and Health Care Clearinghouses are covered entities.
Another example of a covered entity is a business associate. A business associate is a person or organization, other than a member of a covered entity’s workforce, that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involve the use or disclosure of individually identifiable health information. The new regulations made effective on March 26, 2013 (with a delayed compliance date of September 23, 2013) further expanded the business associate scope.
Essentially, an entity will be considered a business associate, unless it can meet the narrow “mere conduit exception”. The exception applies to those entities that are mere courier services or electronic equivalents. However, if there is a persistent opportunity to access PHI, then the entity will likely be a business associate. Furthermore, business associates are now directly liable under certain HIPAA provisions, such as for impermissible uses and disclosures of PHI. This means that the government can now impose significant civil monetary penalties on business associates for such violations.
The HIPAA laws affect us all and the important lesson is that if you want your loved ones to be able to access your health information and talk to your health care providers, you need an Authorization for Release of Protected Health Information. If you have a Health Care Power of Attorney that does not include HIPAA language or was prepared prior to 2003, you should contact our office for an initial consultation.
Information contained in this article attributed to MSBA Bar Bulletin dated April 15, 2013 and U.S. Department of Health & Human Services Privacy Summary.