just spent four days at hipaa conference. sharing following info. karen
the health insurance portability & accountability act of 1996
title ii includes a section, administrative simplification, requiring:
1. improved efficiency in healthcare delivery by standardizing electronic data interchange, and
2. protection of confidentiality and security of health data through setting and enforcing standards.
more specifically, hipaa calls for:
1. standardization of electronic patient health, administrative and financial data
2. unique health identifiers for individuals, employers, health plans and health care providers.
3. security standards protecting the confidentiality and integrity of "individually identifiable health information," (called protected health information or phi) past, present or future.
4. written consent/authorization for release of phi with opt-out clause.
the bottom line: sweeping changes in most healthcare transaction and administrative information systems.
privacy rule --- april 14, 2003
transmission/edi: must have plan submitted by october 2002 and full implimentation by october 2003.
security---final rule still be worked on.
the privacy rule limits how personal health information may be used in marketing, including the kind of marketing that may be done as a part of healthcare operation. marketing is defined as communicating about a product or service in order to encourage its purchase or use.
certain activities that otherwise meet this definition, are not considered marketing under the privacy rule "to prevent interference with essential treatment or health-related communications with a patient." they include:
*describing participating providers or plans in a network -- or the services and benefits they provide.
*using the communication to provide, manage or further treatment -- as in recommending over-the-counter medications or sending reminder notices for appointments or prescription refills.
*if a communication is marketing, personal health information may be used or disclosed only in these cases:
face-to-face encounters with the patient
-- as in offering product samples during an office visit.
they involve products or services of nominal value, i.e., toothbrushes, pens, etc.
they concern health-related products and services of the covered entity or a third party, and if the covered entity making communication is identified.
it is stated that the covered entity is being paid for the communication, if this is so.
the individuals are told how to opt out of further marketing.
individual are told why they have been targeted (are they diabetics, smokers?) and how the communication relates to their health.
they are marketing-related disclosures made to business associates only to support the covered entity's marketing activities. the entity must require a signed business associate agreement from its telemarketer or door-to-door salesman, who may not use protected health information for his own or other purposes.
under the privacy rule, all other marketing requires individual authorizations to use or disclose personal health information. in order to release patient or enrollee lists for any other reasons, the covered entity must obtain authorization from everyone on the list.
full info about hipaa at:
privacy information rules :
excellent series of articles re privacy/confidentiality here:
***student nurses pose hipaa challenges: de-identification, *minimum necessary ( a must read for all nurses)
*shred-it bins offer more privacy than recycle bins for hipaa compliance
*tips for protecting faxes under hipaa privacy rule
*12 tips to improve confidentiality in the er
*crack down on hallway consults, screens to improve patient privacy
*tips to protect phi that falls outside the medical records dept.
*common medical record abuses and steps you can take to prevent them
above articles + many more located at: