Safety Supplies
- Air Monitors Asbestos - Mold - Lead Biosafety Confined Space Ergonomics Eye Wash Stations - Showers Eyewear Face Shields-Welding Helmets Fall Protection
  
  First Aid Footwear Gloves Hard Hats Hearing Protection Protective Clothing Respirators Safety Incentives Training and Reference
Gloves
Safety Glasses
Respirators
Lab Supplies
- Balances and Scales Controlled Environments Environmental Sampling Fume Extraction Lab Chemicals Lab Equipment Lab Instrumentation Lab Supplies Life Science Chemicals pH - Conductivity - DO - ISE Plasticware - Glassware Soil Sampling
Healthcare
- Healthcare Uniforms Infection Prevention Clinical Supplies Medical Office Supplies Environmental Services Emergency Medical Supplies Laboratory Supplies
Spill Control
- Berms, Drain Covers and Plugs Mercury Sorbents Neutralizers - Solidification Sorbents Spill Kits Spill Repair and Accessories
Public Safety
- Disaster Response EMS Fire - Rescue Police - Law Enforcement
Facilities Safety
- Automotive Electrical Fasteners Furniture / Cabinet Construct Grounds Maintenance Instrumentation Janitorial Ladders Lighting Lockout Tagout Lubrication
  
  Material Handling Matting Paints and Supplies Plumbing Products Safety Guards and Rails Security Signs - Labels - Tapes Valves - Fittings - Hoses Ventilation Water Management Welding - Soldering
Material Handling
Janitorial
Facilities Maintenance
Signs - Labels - Tapes
Tools
- Industrial Hand Tools Industrial Power Tools

Interested in having timely and informative safety-related information sent directly to your e-mail box? LSS publishes our no-charge Saf-T-News every other week. To begin receiving your copy, click here.

HIPAA and Patient Privacy

Document Number: 246

Passed by Congress in 1996, the Health Insurance Portability and Accountability Act (HIPAA) covers all healthcare organizations. This includes all healthcare providers, even one-physician offices, health plans, employers, public health authorities, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations and universities. The goal of the act is to promote administrative simplification of healthcare transactions and to ensure the privacy and security of patient information. HIPAA is comprised of three distinct parts: transaction standards, security regulations and privacy/confidentiality regulations. This overview will focus primarily on the patient privacy portion of the act.

Transaction Standards: HIPAAs transaction standards call for the use of common electronic claims standards, common code sets and unique identifiers for all healthcare payers and providers. Today, health providers and plans use many different electronic formats. Implementing a national standard will mean those covered by HIPAA will all use one format, thereby simplifying and improving transaction efficiency nationwide. Congress estimated that standardizing the electronic communication formats will save covered entities $29.9 billion over 10 years. The transactions rules became effective October 16, 2000. The compliance date for this portion of HIPAA is October 16, 2003.

Security Regulations: The security regulations of HIPAA dictate the kind of administrative procedures and physical safeguards covered entities must have in place to ensure the confidentiality and integrity of protected health information. The security regulations provide a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.

The security rules were publish February 20, 2003. The complaiance date for all covered entities except small health plans is April 20, 2005. The compliance date for small health plans is April 20, 2006.

Privacy/Confidentiality Regulations: Most covered entities must comply with the privacy/confidentially regulations of HIPAA by April 14, 2003. Small health plansthose with annual receipts of $5 million or lesshave until April 14, 2004 to comply.

Basically, the privacy rule protects individually identifiable health information. Protected patient information includes:

Name
Specific datesbirth, admission, discharge, death
Telephone number
Social Security number, medical record number
Photographs
City, zip code and other geographic identifiers

To accomplish its objective, HIPAA established five basic principles or rules that must be addressed by covered entities:

Consumer Control
Boundaries
Security
Accountability
Public Responsibility

Consumer Control: Under this rule, patients have significant new rights to understand and control how their health information is used. Healthcare providers must provide patients with a clear written explanation of how they use, keep and disclose patient health information. In addition, patients must also have access to their medical records.

The consumer control measures also restrict the release of certain information without patient consent and ensures the patient consent is not coerced (i.e. providers and health plans cannot condition treatment on a patients agreement to disclose health information for non-routine uses).

Patients are also provided with recourse options should they feel their confidentiality has been violated under the consumer control measures.

Boundaries on Medical Record Use and Release: This rule restricts the use of patient health information for medical purposes only. Patient heath information cannot be used by employers to make personnel decisions or by financial institutions without permission from the individual.

Ensure the Security of Personal Health Information: This rule establishes patient information confidentially standards that covered entities must meet, but it leaves the detailed policies and procedure for meeting the standards to the discretion of the covered entity.

Covered entities must have written privacy procedures in place. The procedures must identify who has access to protected information and how the information will be used. Patient privacy awareness training is also required for employees who have access to confidential information and covered entities are required to establish a privacy officer who is responsible for ensuring established procedures are followed.

In addition to implementing privacy procedures, covered facilities must also establish a grievance process for patients to follow if they believe their privacy has been compromised.

Under this same umbrella falls HIPAAs Incidental Uses and Disclosures rule that addresses communication within a healthcare setting. Phoenix Health Systems prepared a thorough overview of Incidental Uses and Disclosures (http://www.hipaadvisory.com/regs/finalprivacymod/gincidental.htm) and they describe it this way:

The HIPAA standard acknowledges that many customary healthcare communications and practices play an important or even essential role in ensuring that individuals receive prompt and effective health care. Due to the nature of these communications and practices, as well as the various environments in which individuals receive health care or other services from covered entities, the potential exists for an individuals health information to be disclosed incidentally. For example, a hospital visitor may overhear a providers confidential conversation with another provider or a patient, or may glimpse a patients information on a sign-in sheet or nursing station whiteboard. The HIPAA Privacy Rule is not intended to impede these customary and essential communications and practices and, thus, does not require that all risk of incidental use or disclosure be eliminated to satisfy its standards. Rather, the Privacy Rule permits certain incidental uses and disclosures of protected health information to occur when the covered entity has in place reasonable safeguards and minimum necessary policies and procedures to protect an individuals privacy.

Reasonable safeguards will vary from covered entity to covered entity depending on the size and nature of the business. The Phoenix Health Systems document offers the following examples of reasonable safeguards presently used within the healthcare industry:

Speaking quietly when discussing a patients condition with family members in a waiting room or other public area.
Avoiding using patients names in public hallways and elevators, and posting signs to remind employees to protect patient confidentiality.
Isolating or locking file cabinets or records rooms.
Providing additional security, such as passwords, on computers maintaining personal information.

Covered entities must review their own practices and determine what steps are reasonable to safeguard their patient information. In determining what is reasonable, covered entities should assess potential risks to patient privacy, as well as consider such issues as the potential effects on patient care and any administrative or financial burden to be incurred from implementing particular safeguards. Covered entities also may take into consideration the steps that other prudent healthcare and health information professionals are taking to protect patient privacy.

Examples of the types of adjustments or modifications to facilities or systems that may constitute reasonable safeguards are:

Pharmacies could ask waiting customers to stand a few feet back from a counter used for patient counseling.
In an area where multiple patient-staff communications routinely occur, use of cubicles, dividers, shields, curtains, or similar barriers may constitute a reasonable safeguard. For example, a large clinic intake area may reasonably use cubicles or shield-type dividers, rather than separate rooms, or providers could add curtains or screens to areas where discussions often occur between doctors and patients or among professionals treating the patient.
Hospitals could ensure that areas housing patient files are supervised or locked.

Establish Accountability for Medical Records Use and Release: Under this rule civil and criminal penalties are established for the misuse of personal health information. Civil fines for improper release or use of patient information start at $100.00 per incident; criminal penalties carry fines of up to $250,000 and 10 years in prison.

Balancing Public Responsibility with Privacy Protections: In certain instances (national priority activities and activities that allow the healthcare system to operate more smoothly) health information can be disclosed without patient authorization. Within certain guidelines detailed under this rule, covered entities may disclose information for:

Oversight of the healthcare system, including quality assurance activities
Public health
Research, generally limited to when a waiver of authorization is independently approved by a privacy board or Institutional Review Board
Judicial and administrative proceedings
Limited law enforcement activities
Emergency circumstances
For identification of the body of a deceased person, or the cause of death
For facility patient directories
For activities related to national defense and security

The rule allows for, but does not require disclosure under these instances. If there is no law requiring that information be disclosed, physicians and hospitals will still have to make judgments about whether to disclose information, in light of their own policies and ethical principles.

HIPAAs privacy requirements are designed to establish a national standard for patient information confidentially. HIPAA preempts state law except:

Where the state law is necessary to prevent fraud and abuse,
To ensure state insurance or health plan regulation,
To address controlled substances or for certain other purposes, and
When state law is more stringent than HIPAA requirements.

In terms of the financial impact of implementing HIPAA, Congress noted in 1996 when the bill was signed into law that HIPAA will save money for the healthcare industry over the long haul. Congress said that the savings provided by the standardization of electronic forms would more than offset any cost incurred by implementing the privacy requirements of HIPAA. It estimated that over a 10-year period, HIPAA would end up saving covered entities $12.3 billion.

Additional information regarding HIPAA is available through the following resources:

www.hipaadvisory.com/

www.the-dma.org

www.cms.hhs.gov/hipaa/

www.hipaa.org/

www.hhs.gov/ocr/hipaa/

FREE Technical Support
When you have a question, you can rely on our team of technical experts. They'll answer your questions about product specifications, chemical compatibility, regulatory issues, and general worker safety and health.
Call our Safety TECHline™ Technical Support toll-free: 800-356-2501 (6 a.m. to 7 p.m. CT, Monday - Friday). Or e-mail our Technical Support Staff at techsvc@labsafety.com anytime!

FREE Catalog
For products to meet all your workplace safety and industrial needs, turn to Lab Safety Supply. In it you'll find thousands of safety and industrial products, plus a complete service package and our 100% guarantee to stand behind them.
Click here to select a catalog and fill out a request form on-line, or call today to reserve your free copy: 800-356-0783 (7 a.m. to 9 p.m. CT, Monday - Friday).

Please Note: The information contained in this publication is intended for general information purposes only. This publication is not a substitute for review of the applicable government regulations and standards, and should not be construed as legal advice or opinion. Readers with specific questions should refer to the cited regulation or consult with an attorney.