4 objectives of HIPAA
Definitely, when considering HIPAA, there’s a lot of speculation on how data should be used, shared, transferred, etc. It’s known that medical staff isn’t so happy about this legislation seeing it restrictive in many senses. So, there are 4 objectives stated in the following 5 titles:
- ensuring health insurance
- decrease fraud and abuse in healthcare
- setting standards for efficiency of PHI
- assurances of privacy and security
Also, when considering the legislative acts, it’s essential to note that the first title is ’s about ensuring the insurance can be accessed, transferred, and remade. Here it identifies the main legislation regarding how coverage and renewal of insurance can be ensured. One of the main advantages of this title is discrimination elimination.
The second title of this legislation is having measures against fraud in healthcare and avoiding the abuse in any means. Those rules described above are part of the second title in the legislation of HIPAA. Moreover, there’s one more interesting rule added, which is known as Omnibus Rules, to be discussed later.
The third Title is more concerned about tax-related issues. It has specifications and stipulations regarding medical savings accounts. Moreover, it has some new regulations on insurance as well. The fourth one deals with enforcing and applying group health plan requirements. And the last one deals with offset provisions.
But as it’s clear, the main part of HIPAA that is more evident and required these days is the second title that attempts to prevent leak and breach of any patient’s data. This is important because it doesn’t deal with the information he or she doesn’t need to know. For example, a physician dealing with the patient should not disclose his social number, or a technician helping to maintain electronic data storage should not access the patients’ information and their conditions. All of these are considered to be sensitive and private information and lead to the concept of the minimum necessary information to be used.
“Minimum Necessary” standard applies to HIPAA
HIPAA Minimum Necessary standard is one of the most critical provisions to understand in-depth. This affects medical personnel working with patients each day. There are some important aspects to keep in mind, but before delving into where the HIPAA “minimum necessary” standard applies, it’s better to understand what it is.
It’s a provision demanding covered entities and business associates limit the ways of how PHI is used and ensure that no extra and unneeded information will be disclosed. In other words, it is about ensuring that patient information is to be used where it’s needed and not used where it’s not required. So, when such information is used, transferred, or revealed, only those authorized ones should be dealing with this information so that there’s no data breach, fraud, or abuse.
To exemplify, if the information is disclosed to the business associate responsible for performing any particular service for any covered entity, this means there should be PHI of that patient should be accessible. So, it’s critical that the covered entity has made all attempts to make sure that accessible information is specifically reasonable and relevant. Put it simply, if A requests information from B about the P, patient, the information should disclose all historical evidence about P, but only the part that is required for the service to be completed.
Any extra information disclosed can lead to problems and can be treated as a violation. It’s clear that any physician may request all the historical data about a particular patient, he or she is treating at the moment of access. But that should be limited to that patient only. The other sensitive aspect here is that this physician will access the patient’s social security number. So, from this moment of access, this information should not be unveiled or shared with anyone.
But all that isn’t so simple as it may seem at first. Thus, it’s important to understand where the HIPAA Minimum Necessary standard applies. Actually, this applies to any use or revealing of permitted information. So, according to the rule, such permitted information includes employing, requesting, disclosing, and transferring data like images, copies of PHI, medical charts, etc. Moreover, this standard applies to accessing PHI or ePHI with the purpose of transferring the data to other business associates or covered entities.
However, to understand how this works, it is not a bad idea to look where this standard doesn’t apply. Actually, according to HIPAA, there are 6 exceptions to the standard of Minimum Necessary.
- when a request to access PHI is made by the healthcare providers with the intention to provide treatment
- when patients ask for copies of their own medical history and records
- when there is a valid authorization for the use of PHI
- when requests are made in accordance with Administrative Simplifications Rules
- when a request is made by the Department of Health and Human Services according to some HIPAA stipulations
- when requests are reasoned with other law regulations.
But another important aspect is how covered entities do their best in protecting the patient data when there’s a need to share patient data for getting services. There’s a need for a reasonable justification to be made by covered entities. Here comes the need for so-called Reasonable Reliance, where someone can judge how any part of the information to be shared, used, or disclosed. So, under particular circumstances, much depends on the covered entity. But under which circumstances?
- when there is a request made by a public official in accordance with Privacy Rule.
- when a request is made by another entity
- when a request is made by a physician or business associate
- when a request is done by a researcher only if he or she can provide documentation from IRB (Institutional Review Board)
So, when the above-mentioned cases happen, it’s only the covered entity who is responsible to judge if the information to be accessed is the minimum necessary one. To make Minimal Necessary standard more efficient, there are some critical tips to follow:
- allocating and locating the PHI, and making sure what kind of PHI is included in ePHI. It’s important to have a crystal-clear ePHI so that the covered entity can classify different types of information
- classification of information about the patient so that the covered entity can assign the access permission based on different levels of authorizations. This can restrict access to such details as a social number, health insurance details, and so on. For example, not all medical staff treating the patient needs to access all the historical data of the patient.
- it’s important to inform and train medical staff members about what type of data they’re allowed to use and share. Moreover, it’s important that all medical staff should know what to expect once they violate privacy rules and obligations. So, to have some sanction policy would be great in order to avoid violations of HIPAA standards.
- It’s important to set some alerts in case of unauthorized access to ePHI. This will ensure better options for safety and data protection. With this, it would be easy to monitor who accesses information without permission or authority. Or it can show that PHI has been accessed without any reasonable purpose.
- Another important tip is to constantly have audits of logs and granted permissions. With this, it is easy to spot who has accessed PHI and why it has been accessed. It’s important not to forget that accessing more information than needed can also be considered a violation of privacy rules.
