With the latest 2019 privacy push in healthcare and personally identifiable information, it is imperative that LPN nurses understand HIPAA regulations to properly comply in their workplace.
What is HIPAA? HIPAA is an acronym for a federal privacy regulation. It stands for Health Insurance Portability and Accountability act of 1996. It’s found at 45 CFR Part 160 and 164. HIPAA affects health insurance plans, health care clearinghouses and just about any other health care provider that passes on health care information in electronic form. It involves certain enumerated transactions.
Protected Patient Information
As per the U.S. Department of Health and Human Services, HIPAA is intended to protect “all identifiable health information” that a covered entity or its business associate is in possession of or is intended to be transmitted in whatever form that it might exist in. This information is known as “protected health information.” It includes what the regulation designates as “individually identifiable health information.” Such information can include demographic data in connection with the following:
- An individual’s physical or mental health, whether the information that information is for the past, present or future.
- The care and treatment that was provided for the individual.
- Any past, present or future arrangement for payment for health care services to a person.
None of the above is allowed to directly or identify the recipient of the health care services that were, are or will be provided to them.
HIPAA Hosting for Digital Compliance
As an LPN nurse, you’ll access patient records digitally, which requires an additional layer of security. With the majority of patient records being stored online, HIPAA guidelines extend to the digital realm. In particular website hosting, patient portal logins, and any other web-based document repositories need to understand HIPAA compliant hosting requirements.
Your medical employer should be familiar with the HIPAA hosting for digital compliance rules, but it would be wise to familiarize yourself with these regulations as well. Recommended resources include: 1) Privacy, Security, and Electronic Health Records, as published by the U.S. Department of Health & Human Services Office for Civil Rights, 2) HIPAA Compliant Hosting – Top 16 Certified Providers of 2019 by Web Hosting Professor, 3) Chapter 4 Understanding Electronic Health Records, the HIPAA Security Rule, and Cybersecurity by the The Office of the National Coordinator for Health Information Technology.
De-Identifiable Health Information
If health information is de-identified, HIPAA has no restrictions on using or divulging information about a person’s health. When information is de-identified, there may be no reasonable basis upon which a person might be identified. De-identification can result in one of two ways. First, a qualified statistician can make the determination that information has been sufficiently de-identified. Next, it can be done by the removal of identifiers that are specific to the person and his or her relatives, household members and employer. This method is only acceptable when the entity under the purview of HIPAA has no actual knowledge that any information that could be remaining might be used for purposes of identifying the person.
When Use and Disclosure of Protected Information Is Allowed
There are only two occasion when an entity that falls under the purview of HIPAA can disclose information. First, it can release information when a person or his or her personal representative request access to it. It can also release information to the Department of Health and Human Services for purposes of a compliance investigation or enforcement action.
When Authorization Isn’t Required
An entity governed by HIPAA is permitted to disclose and use protected information for the following purposes without an authorization:
- In connection with treatment, coordination or management of health care by one or more providers regarding a patient or a referral of that patient.
- For purposes of payment, coverage and providing benefits.
- When health care operations encompass activities like case management, care coordination, provider performance evaluations.
- Fraud and abuse investigations.
- Underwriting and general business activity.
There isn’t any type of an official certification program for HIPAA, but failure to comply with HIPAA regulations can get extremely expensive very quickly. Private training companies do offer guidance for purposes of understanding what HIPAA requires.