HIPAA Regulations and Information Security Essay
The Health Insurance Portability and Accountability Act (HIPAA) authorizes the US Department of Health and Human Services (HHS) to promulgate regulations regarding protection of healthcare information (Shoniregun, Dube & Mtenzi, 2010). In accordance with this authority, the Department enacted the following rules: the privacy rule, the security rule, the transactions and code sets rules, the enforcement rule and the unique identifiers rule (Shoniregun et al, 2010). All these rules address the issue of health information exchange to different degrees. However, the rule, which is the most relevant to the exchange of healthcare information, is the privacy rule.
The privacy rule establishes requirement as to when and to whom certain healthcare information can be disclosed. By general rule, healthcare providers and other covered entities (healthcare plans and healthcare clearing houses) are allowed to disclose certain personal healthcare information only to the patient concerned or, with the patient’s consent, to the third parties (45 CFR § 164.502). Thus, healthcare providers and other covered entities are permitted to disclose certain personal healthcare information for treatment, payment, or health care operations with the consent of the patient concerned (45 CFR § 164.506). The regulations specify that healthcare providers must obtain authorization from the patient in order to use or disclose any psychotherapy notes, to use the information for marketing purposes or to sell it (45 CFR § 164.508).
There are, however, a number of exceptions from the general rule that use and disclosure of personal healthcare information must be authorized by the patient. Thus, healthcare providers and other covered entities do not need authorization when the use and disclosure of the healthcare information is required by law (45 CFR § 164.512 (a)). Furthermore, the healthcare information can be disclosed to the public health authority, which is entitled to collect such information in order to control or prevent diseases, disabilities and injuries (45 CFR . Such information also can be disclosed to the public health authority or any other authority which is entitled to receive reports of child neglect or abuse (45 CFR § 164.512 (b). Next, authorization by the patient is not necessary to disclose the healthcare information to a person that is subject to the jurisdiction of the Food and Drug Administration (FDA), if the person is charged with ensuring quality, safety and effectiveness of an activity or product regulated by the FDA (45 CFR § 164.512 (b).. In addition, unauthorized disclosure of healthcare information is permitted if the disclosure is made to an employer and concerns one of its employees (45 CFR § 164.512 (b). There are limits. Such information can be disclosed only at the request of the employer and only concerning work-related medical surveillance or work-related injury or illness (45 CFR § 164.512 (b). When such information is disclosed to the employer on its request, the healthcare provider must notify the patient about it (45 CFR § 164.512 (b). Moreover, if a patient is a student, his or her …