Protecting Personal Health Information (PHI)

The HIPAA privacy rule is designed to protect a patient’s personal health information from being accessed by an unauthorized person.  The privacy rule actually builds on well-accepted principles for patient privacy and dovetails with state laws as well as institutional policies for handling protected health information.  April 14, 2003 is the target date for the privacy rules to be in place.

Still, the HIPAA rule lays out a new privacy environment for patients and for healthcare providers.  More consumer control over health information is called for in the following ways:

1. Patients are to be informed in more detail about the use of their protected health information at the beginning of their care by receiving a notice of privacy practices document prepared by the provider or healthcare organization.
2. Patients are given the right to examine and obtain a copy of their health records and are allowed to amend the records if errors have been made and if they follow a written process to make such amendments.  Exceptions are allowed in special cases such as when access to the information may be harmful to the patient.
3. Written authorizations from patients are required for the release of their health information; they may revoke authorizations if they wish.  Authorizations are not required in cases where release is required by law.
4. Patients may request their providers to provide an accounting of their health information disclosures made in the six years prior to the request.  This accounting extends only to protect health information that was disclosed to entities outside the organization.  According to the HIPAA rule, patients do not have a right to know who has seen their records in the course of providing care or billing activities.⁷ However, it is important to check with individual state law in the area of patient’s rights.
5. If privacy violations occur, patients may file a complaint regarding the violations at the provider level and with the Secretary of Health and Human Services with the assurance there will be no retaliation against the patient. 

For healthcare providers including dentists, the privacy rule sets boundaries on the use and release of health information.  With few exceptions, health information is to be used for healthcare and related purposes.  The rule also requires providers establish clear privacy policies and procedures.  For example, privacy procedures should describe how patients are to authorize the release of their protected health information and should specify that, when disclosing health information, providers limit the release to the “minimum reasonably needed” for the purpose of the disclosure.

Dentists must therefore establish clear privacy policies and procedures for privacy practices.  A privacy officer is required to oversee the privacy practices to assure that appropriate policies and procedures are adopted and followed.  In small practices, an office manager may serve in this capacity along with other business responsibilities.  In larger organizations, the privacy officer focuses entirely on the privacy requirements, developing policies and procedures, and overseeing related activities.

The rule lays out a new privacy environment for patients and for healthcare providers.  The HIPAA privacy rule gives patients more control over their health information.  Patients will be informed in more detail about the use of their protected health information at the beginning of their care, and they have a specific opportunity to learn about how their information is used.  They also are given the right to examine and obtain a copy of their health records and may amend the records if errors have been made.  Patients’ written authorization for the release of their health information is clearly defined and their rights to revoke authorizations are spelled out.  Patients may receive an accounting of their health information disclosures from their providers.  Finally, patients may file a complaint regarding privacy violations at the provider level and with the Secretary of Health and Human Services with no retaliation against the patient.  Many of these features of the privacy rule are already in place in healthcare settings today.  Typically, patients are asked to sign authorizations to disclose their health information; in many states, patients have the right to receive copies of their health record. 

The privacy rule calls for privacy training for all staff, but the training component may be setting aside an opportunity to review the privacy policies and procedures with the small staff so the review should be conducted before starting training.

There are numerous HIPAA aids available online and Samples of Notice of Information Practices documents can be found at http://www.ahima.org/journal/pb01.05.3.htm as well as other sites.

The HIPAA privacy rule sets a national floor for minimum privacy standards.  Some states have stronger laws providing additional privacy protection.  This means that individual providers must be sure their policies and procedures accommodate both the HIPAA requirements and those of applicable state laws.  The privacy rule also accommodates existing public health mandatory reporting requirements.

Click Here To Navigate Within Article >> Abstract Introduction Protecting Personal Health Information (PHI) Privacy Policies Professional Communications and Privacy Patient Authorization Requirements Privacy Training An Overview of HIPAA and its Dental Implications Staying Current with the Regulations Conclusion References About the Authors
	Page 3 of 12
Citation Number: Vol. 4, No. 1, Page 061