The Key Elements of a Managed Care Contract and the Role HIPAA Plays in the Health Care Industry
Most people would agree that basic human rights include privacy. However, social media, computers, and the Internet have eroded the traditional privacy and security barriers put in place. Documents can be shared with a simple click and access granted with credentials. Society can no longer dictate, in many cases, who or what has access to Personal Identifiable Information (PII).This especially affects healthcare provider entities, which up until the late 1990s and early 2000s kept most records in paper format.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information, establishes national standards for the protection of certain health information. The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for enforcing the Privacy and Security Rules with voluntary compliance activities and civil money penalties. Prior to HIPAA, no generally accepted set of security standards or general requirements for protecting health information existed in the health care industry. At the same time, new technologies were evolving, and the health care industry began to move away from paper processes and rely more heavily on the use of electronic information systems to pay claims, answer eligibility questions, provide health information and conduct a host of other administrative and clinically based functions.
In a 1999 survey of consumer attitudes toward health privacy, three out of four people reported that they had significant concerns about the privacy and confidentiality of their medical records (Forrester Research, 1999). In a more recent survey, conducted in 2005 after the implementation of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, 67 percent of respondents still said they were concerned about the privacy of their medical records, suggesting that the Privacy Rule had not effectively alleviated public concern about health privacy. Ethnic and racial minorities showed the greatest concern among the respondents. Moreover, the survey showed that many consumers were unfamiliar with the HIPAA privacy protections. Only 59 percent of respondents recalled receiving a HIPAA privacy notice, and only 27 percent believed they had more rights than they had before receiving the notice (Forrester Research, 2005). One out of eight respondents also admitted to engaging in behaviors intended to protect their privacy, even at the expense of risking dangerous health effects. These behaviors included lying to their doctors about symptoms or behaviors, refusing to provide information or providing inaccurate information, paying out of pocket for care that is covered by insurance, and avoiding care altogether (Forrester Research, 2005).
On the whole, HHS should also simplify the criteria that IRBs and Privacy Boards use in making determinations for when they can waive the requirements to obtain authorization from each patient whose PHI will be used for a research study. If the current criteria for waiver of authorization are to be retained, a clear and reasonable definition of impracticability from HHS, along with specific case examples of what should or should not be considered impracticable or of minimal risk, could reduce variability and overly conservative interpretations among IRBs and Privacy Boards.
Flannery J, Tokley J. AMA poll shows patients are concerned about the privacy and security of their medical records. Australian Medical Association; 2005.
Forrester Research. National survey: Confidentiality of medical records. 1999.
IOM (Institute of Medicine). Protecting data privacy in health services research. Washington, DC: National Academy Press; 2000.