Privacy Regulations in Your Hip Pocket
1996 Congress passed a law called the Health Insurance Portability
and Accountability Act (HIPAA). That law required a set of
federal regulations on Privacy and Security. On April 14,
2003 the Privacy regulations became effective. April 21, 2005
is the implementation date for the Security regulations. The
Security regulations are not discussed in this document.
The Privacy Regulations
These regulations require all
"Covered Entities" (CE) to give their patients a
Notice of Privacy Practices telling how a patient's confidential
health; billing and demographic information (called "Protected
Health Information" or PHI) is protected by the Covered
Entity. A "Covered Entity" is a health plan (such
as an HMO, in our case M-Care), a clearinghouse (like WebMD),
or a health care provider who submits bills electronically.
Providers include private practitioners like doctors and dentists
as well as hospitals and other health care facilities. The
University of Michigan Health System and its providers are
a Covered Entity. Other parts of the University such as University
Health Service and certain benefit plans are also Covered
Once the CE provides the Notice
of Privacy Practices, it asks the patient to acknowledge receipt.
The CE can then provide treatment or services, bill the patient
for the treatment or collect premiums and perform core operations
(such as infection control, quality assurance, sending reminder
letters, accreditation, teaching, etc.). If a practitioner
wants to do research involving the patient or the patient's
records, the patient needs to authorize this use.
The Privacy regulation is intended to increase the patient's
control over who can see or use the patient's PHI. So, while
CEs can use or disclose the PHI for treatment, billing, and
core operations, they need a written authorization for most
other purposes. The regulatory approach is:
1. Once a Notice is provided TPO (treatment, payment,
operations) can occur.
2. A patient can verbally tell a health care professional
which of the patient's family members the provider may talk
to about the patient's care, and inpatients in a facility
can simply say whether they want to be listed in the facility
3. Disclosures required by law (child abuse, licensing
actions, public health reporting, etc.) can occur without
4. Other disclosures must only occur with a written
authorization from the patient.
5. Certain other laws, such as the Family Educational
Rights and Privacy Act, remain in effect.
The regulations give patients
the right to access their PHI, request amendments to anything
they feel is not correct, and obtain information about some
disclosures made without their authorization. They also require
CEs to be careful how they handle PHI: for example, we have
to use it only for permissible purposes, provide only the
minimum necessary information, verify the identity and authority
of people who ask to see it, and take security precautions
to protect it. If we fail to do these things, we can be subject
to civil and criminal penalties.
What Does the University Do?
Privacy is critically important
to us. Both main campus and the health System have Privacy
Offices that work to ensure compliance with the regulation.
More information about the University's approach to the regulations
can be found at firstname.lastname@example.org. And, the regulations
and FAQ's can be seen at: www.hhs.gov/ocr/hipaa.
The Health System Notice of Privacy Practices is posted in
various locations throughout the Health System and on the
Web at www.med.umich.edu/hipaa.
Educational materials are available at that website. We have
detailed policies and procedures setting forth our approach
to protection of our patients' information. The University
will take appropriate disciplinary action if anyone wrongly
uses or discloses PHI.
How to Obtain Legal Advice about
the Privacy and Security regulations?
The Health System Legal Office
(764-2178) can help with questions, policy, legal guidance