The United States Department of Health and Human Services, Office of Civil Rights (OCR) has been charged with enforcement of the HIPAA privacy regulations. Commonly referred to as the Privacy Rule, the regulations go online for enforcement beginning April 14, 2003. On December 3, 2002, the OCR released much needed additional guidance on how it expects health care providers and other covered entities to implement the Privacy Rule established as part of the Health Insurance Portability and Accountability Act of 1996. This is Part One of a two part series designed to cover this new guidance, as well as other common issues for ambulance services that have developed under the Privacy Rule.
The document, titled “Standards for Privacy of Individually Identifiable Health Information” (the “Guidance”) and available at www.hhs.gov/ocr/hipaa/privacy.html, provides new information on several key areas of the Privacy Rule that directly relate to ambulance service providers. That is good news. In fact, the word “ambulance” actually appears four times and the phrase “emergency medical provider” appears a number of times as well!
For the first time, the HIPAA Privacy Rule creates national standards to protect patient medical records and other personal health information. OCR gives some very good commonsense reasons behind what the Privacy Rule is intended to do, and an excellent summary of what it means for patients. There was a need for this guidance, as it is unfortunate that many commonsense notions about patient privacy and the use and disclosure of patient information took on an almost amoeba-like form with the Privacy Rule. There are literally hundreds of pages of regulation, preamble to regulation, questions and answers, and materials from the federal government on what should have amounted to an easy to administer regulation. Phrases and acronyms like “PHI,” “NPP,” “designated record sets,” “role based access,” and “business associates” now take on a unique meaning with many definitional twists.
Bringing it back to basics, the OCR reminds us that the Privacy Rule was intended to:
For patients, the OCR points out that among the benefits of the Privacy Rule is that patients are “able to make informed choices when seeking care and reimbursement for care based on how personal health information may be used.” Here is what the Privacy Rule does for patients:
The newly updated Guidance is broken down into major subject sections, each with a set of answers to frequently asked questions at the end of the section, and a short description of what is required by health care providers and other entities to meet the requirements of that section of the privacy standard. Some of the Guidance is similar to the version issued by HHS in July 2001, but it has been totally revised to address many of the top privacy compliance issues that have recently arisen.
Disclosures of PHI by phone, radio, or other “med patch” to the hospital are permitted as an incidental disclosure not requiring special security measures.
We use cookies to analyze website traffic and optimize your website experience. By accepting our use of cookies, your data will be aggregated with all other user data.