Opinion

What are the implications for clinicians and other health-care professionals of the Health Insurance Portability and Accountability Act (HIPAA) patient privacy and confidentiality statutes?

By Chris Kidd

Information Security and Privacy Officer
University Health Sciences Center

In order to provide appropriate care to individuals within the health-care system, patients must be willing to share all pertinent information with their providers. However, many individuals are unwilling to do so, fearing that their information may be used for purposes other than treatment, or that their privacy in general will not be protected. According to a recent survey, 17 percent of Americans indicated that they have taken steps to protect their privacy, including "physician hopping," providing incomplete or inaccurate information during diagnosis/treatment, or by refusing treatment. By 1995, public concern over privacy issues had grown more than 18 percent since 1978-from 64 percent to 82 percent.

Many states have existing privacy statutes, but they are diverse and, in many cases, do not allow patients access to their health information. Congress sought to respond to these concerns, as well as to simplify health-care administrative processes and set federal standards, by passing the Health Insurance Portability and Accountability Act of 1996 (HIPAA). A part of this law requires Health and Human Services (HHS) to develop regulations covering privacy, security, transactions (electronic data interchange) and unique identifiers-all to be implemented within a 26-month period after their final release.

The privacy rule, which requires large providers to be compliant by April 2003, affords consumers the right to control and understand how their health information will be used and disclosed. The major provisions state that:

• Providers develop and make available to each patient a privacy notice that indicates how individually identifiable health information will be used in an organization.
• Patients can request a restriction on who can access or view their health information. Providers are required to review the request, but are not obligated to agree to any restrictions.
• Patients have a right to inspect and receive a copy of their health information (excluding psychotherapy notes).
• Patients may request that their health information be amended, under certain conditions. If the provider agrees to the amendment, copies must be sent to those who may have received it in the past.
• Patients have a right to know if their health information was disclosed outside of the provider organization and to whom and for what purpose it was disclosed (for the previous six years).
• Providers are required to ensure that only the minimum necessary health information is used or disclosed for purposes other than treatment.

HHS estimates the privacy implementation cost across the U.S. health-care system will be $17 billion over 10 years, which is offset by a savings of $30 billion from implementation of the electronic transactions, as required under HIPAA. While it is true that compliance will be a significant challenge, the financial costs of non-compliance may be greater, as HIPAA carries severe civil and criminal penalties (up to $250,000 in fines and 10 years in prison). The greatest casualty of non-compliance, however, may be patient care, as consumers become increasingly concerned over privacy and are unwilling to share information vital to their care.

We always welcome your comments about the magazine. Address letters to: Editor, Health Sciences Report, Office of Public Affairs, University of Utah Health Sciences Center, 50 North Medical Drive, Salt Lake City, UT 84132. FAX: (801) 585-5188. E-mail: Susan.Sample@hsc.utah.edu.

[ Table of Contents ]