The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 and provides federal protections for personal health information held by covered entities like Nicklaus Children's Hospital and gives patients certain rights with respect to that information. HIPAA is enforced by the Office for Civil Rights (OCR).
There are two sections which work together to protect patients: (1) HIPAA Privacy Rule and (2) HIPAA Security Rule.
What Information is Protected?
Protected Health Information (PHI) is:
- Individually identifiable health information created, received, transmitted or maintained by a covered entity such as Nicklaus Children's Hospital that links an identifiable person with their health condition.
- Information, including demographic information, that relates to:
- An individual’s past, present or future health condition;
- Providing health care to an individual; or
- The past, present, or future payment for providing health care to an individual
- AND that identifies or is reasonably believed to identify an individual.
It may be in many formats:
- Paper or hard copy: records, labels, x-rays, films, letters
- Electronic: computerized, digitized, video, audio
- Communication: verbal, sign language (conveying a message from one individual to another
Health Information Technology for Economic and Clinical Health Act (HITECH) added a breach notification requirement to HIPAA. The laws regarding HIPAA were updated through the American Recovery and Reinvestment Act (ARRA), which requires more enforcement and increased penalties. In addition, the recently implemented Final Omnibus Rule requires further changes to some aspects of our procedures.
There is a key change in the definition of a breach as well as the breach notification requirement.
An impermissible use or disclosure of protected health information is presumed to be a breach UNLESS the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised.
Covered entities are required to notify patients if there is a breach unless after completing a risk analysis, it is determined that there is a low probability of compromise of the PHI.
- Must provide notification to patients no later than 60 days after the date of discovery
- Must notify the HHS Secretary:
- immediately if more than 500 affected
- at the end of each year if less than 500
A substitute notice is required if there is insufficient or out of date contact information.
Florida’s Health Information Privacy Laws
Florida Statutes provide extra protections for individuals with respect to their health information and social security numbers.
There are enhanced protections under Florida Law for “highly confidential information”:
- Mental Health (psychotherapy notes)
- Substance/Alcohol Abuse Treatment
- STD/HIV/AIDS Test Results, Records or Treatment
- Domestic Violence Related Treatment
Florida’s laws governing health records for these types of information are more stringent that HIPAA and will override HIPAA.