Health Insurance Portability
& Accountability Act (HIPAA)
Congress passed the Health Insurance Portability and Accountability Act, or HIPAA, in 1996. Its primary purpose is to insure that people who change jobs cannot be denied health insurance in a new job because of a pre-existing health condition. The law also established minimum standards of privacy and security to ensure that sensitive information about individuals’ health would remain confidential.
HIPAA restricts the way “covered entities” can share personal health information. The law defines covered entities as any health plan, health care clearinghouse, or health care provider that transmits health-related data electronically. The Montana Department of Public Health and Human Services (DPHHS) is a “hybrid entity” under HIPAA, meaning that it consists of both covered and non-covered portions. We are required by HIPAA to take extra precautions to protect the personal health information of our clients, held within the covered portions of DPHHS.
What is Protected Health Information (PHI)?
HIPAA introduces a number of concepts, the most important of which is PHI, or Protected Health Information. PHI is any information that relates to a person’s medical condition or payment for health care that identifies or might identify that person.
In order to protect client privacy, HIPAA requires covered entities, including the covered portions of the department, to limit the amount of PHI that they request from clients or provide to others. In most cases, the department must get written authorization from clients before it can disclose their PHI. The department does not need authorization if the information:
- Is necessary to provide appropriate medical treatment;
- Was requested by the individual about himself/herself;
- Is required to be reported to an entity by law;
- Is required to be provided to comply with federal or state program mandates; or
- Is required to pay medical claims.
DPHHS is required to provide clients with a Notice of Use of Protected Health Information. This notice explains how the department uses and discloses PHI. It also explains how clients can complain about information practices of the department and to whom they should direct such complaints.
- Designation of Authorized Personal Representative for Health Information (HPS-401)
- Authorization for the Use and Disclosure of Health Information (HPS-402)
- Request to Send Protected Health Information to an Alternate Location (HPS-403)
- Complaint for Alleged Violation of Disclosure of Protected Health Information (HPS-404)
- Request for Personal Health Information (HPS-405)