Health Information Portability
& Accountability Act (HIPAA)
Congress passed the Health Information Portability and Accountability Act, or HIPAA, in 1996. Its primary purpose is to insure that people who change jobs cannot be denied health insurance in a new job because of a pre-existing health condition. The law also established minimum standards of privacy and security to ensure that sensitive information about individuals’ health would remain confidential.
HIPAA restricts the way “covered entities” can share personal health information. The law defines covered entities as any health plan, health-care clearinghouse, or health-care provider that transmits health-related data electronically. The Montana Department of Public Health and Human Services (DPHHS) is a covered entity under HIPAA, so we must take extra precautions to protect the personal health information of our clients.
What is Personal Health Information (PHI)?
HIPAA introduces a number of new concepts, the most important of which is PHI, or Protected Health Information. PHI is any information that relates to a person’s medical condition or payment for health care that identifies or might identify that person.
In order to protect client privacy, HIPAA requires covered entities, including the department, to limit the amount of PHI that they request from clients or provide to others. In most cases, the department must get written authorization from clients before it can disclose their PHI. The department does not need authorization if the information:
- Is necessary to provide appropriate medical treatment;
- Was requested by the individual about himself/herself;
- Is required to be reported to an entity by law;
- Is required to be provided to comply with federal or state program mandates; or
- Is required to pay medical claims.
What if my PHI is wrong?
HIPAA also gives people a chance to amend the PHI that is held by a covered entity. The client must make the request in writing, and the entity can either choose to make the desired corrections or respond in writing that it will deny the request. The request can only be denied if the record no longer exists or cannot be found, if the record is maintained by another entity, or if the entity believes the record is correct. If the entity denies the request, the client can submit another written statement disagreeing with the denial, and that statement must be included with all future disclosures of that PHI.
DPHHS is required to provide clients with a Notice of Privacy Practices. This notice explains how the department uses and discloses PHI. It also explains how clients can complain about information practices of the department and to whom they should direct such complaints.
If you have questions about PHI or HIPAA, contact the department’s toll-free HIPAA hotline at: 1-800-645-8408.
