HIPAA: The Who's, What's, When's, and Why's of Disclosure

HIPAA: the who's what's where's and when's of disclosure

In 1996, President Bill Clinton signed the Health Insurance Portability and Accountability Act (HIPAA) into effect. The Standards for Privacy of Individually Identifiable Health Information, or the Privacy Rule, was established by the U.S. Department of Health and Human Services to actually implement requirements. Fundamentally, HIPAA and the Privacy Rule exist to limit the frequency where a person’s protected health information (PHI) could be used or disclosed. The Privacy Rule is the first time in U.S. history that a comprehensive health policy came into effect requiring organizations to augment their standard operating procedures to demonstrate HIPAA compliance.

Disclosures must follow the strict policies of the privacy rule. In accordance with the violation and penalty structures, organizations should strive to always demonstrate positive intent and take all steps necessary to create an environment that prevents incidental or inadvertent disclosures. The Four W’s of HIPAA disclosure provide a framework for who should be cognizant of the privacy rule stipulations during the course of health care business. 

WHO: Any group that houses or transmits PHI is effected by HIPAA; this includes a whole host of potential parties including health care providers, laboratories, pharmacies, insurance companies and clearing houses known as covered entities. Additionally, any consultants or tangentially associated representatives such as lawyers and accountants are indirectly affected.

WHAT: A HIPAA disclosure, either intentional or incidental, is the sharing of PHI with another individual or entity. The Privacy Rules dictates that organizations protect patient information from being disclosed unless under direct compliance with the Privacy Rule stipulations or as the patient who owns the PHI authorizes in writing.

WHEN: Permitted uses and disclosures exclusively apply to the business of healthcare and are usually limited to other organizations or individuals who need the information to complete a component of the care or payment process. According to the Privacy Rules, several overarching themes dictate the legality of disclosures. Most commonly, information may be disclosed to an organization who is involved in the treatment or payment of a health care event; this usually includes a physician, pharmacy or payer. Secondarily, cursory details about an individual’s care or payment for care may be disclosed to family or friends upon the patient’s verbal agreement; this stipulation is largely at the discretion of the health care entity caring for the patient. In the course of business operations minor incidental disclosures may occur without penalty if all reasonable safeguards are in place; such occurrences may include a patient in an adjoining room overhearing a diagnosis. Finally, PHI may be shared for public interest activities in circumstances such as abuse, law enforcement need or donation of tissue and limited data sets may be provided with redacted identifying information for research purposes.  

WHY: Disclosure policies establish safeguards to ensure that patient information is not released to organizations or individuals when it is not pertinent to the administration or payment of health care.

HIPAA violations, or the disclosure of PHI in any manner not consistent with the Privacy Rule, can result in civil and criminal penalties in adherence with the American Recovery and Reinvestments Act of 2008 which built a penalty structure for HIPAA violations. Violation penalties increase in direct correlation with the level of neglect associated with the violation. For instance, if a violation occurs but the violator was not aware, the penalty is $100 per violation; however, if a violation occurs out of willful neglect and is not corrected, the penalty is $50,000 for each violation. Intentional disclosures with the intent to sell the information can result in up to ten years of jail time and substantially increased fines. 

 When dealing with HIPAA rules and regulations, organizations should regularly train staff and consult with third-party experts to ensure that all components of the business are aligned with the Privacy Rules. In an ever-evolving health care environment, the circumstances of disclosure are often left to the judgment of the health care professional involved in the interaction. Demonstrating good intent through adherence to best practices will serve an organization well should an incidental violation every occur. 

Written by: Meagan Bates