Case Presentation
The confidentiality of medical information became an agenda
item for Congress when electronic data systems became widely
adopted throughout the United States. The increased use of
computers in health care had created the capacity for critical
health care information to be efficiently shared among health care
providers and among insurance companies. Advocates for patient
confidentiality and information privacy argued that the ease of
information sharing through electronic transmission of records
would result in personal health information becoming available to a
wide variety of interested parties. Access to this information
could result in a variety of actions, including denial of coverage
through employer-sponsored plans to individuals or family members
with chronic or debilitating conditions. Other unfavorable outcomes
from the unrestricted sharing of private health information could
also result, such as the sale of mailing lists of individuals with
particular medical conditions to companies with a commercial
interest in obtaining those lists.
The intent of the Health Insurance Portability and
Accountability Act (HIPAA) of 1996 was to limit the ability of
employers to deny health insurance coverage to their employees
based on preexisting medical conditions. In the formulation of a
policy response, the intervention chosen by Congress was to limit
access to health care information to only parties with a legitimate
role in the financing and delivery of services, specifically health
care providers, insurance companies, and third-party contractors.17
Through HIPAA, Congress directed the United States Department of
Health and Human Services (USDHHS) to implement the policy by
developing privacy rules that protect electronically transmitted
health information. These rules cover any entity that must have
access to this information for legitimate purposes and provide
guidelines for determining access to and disclosure of protected
health information. Criminal and financial penalties are provided
for proven HIPAA violations, including federal prison sentences for
perpetrators and fines of up to $250,000. Investigations and
prosecutions of HIPAA violations are the responsibility of the
United States Department of Justice.17
One of the federal agencies tasked with public review and
reporting for federal policies is the United States Government
Accounting Office (GAO). The GAO has published different reviews of
HIPAA at the request of government officials over the years since
passage of the statute, and these reports are publically available
on the GAO website. A recent review18 documents the ongoing issues
of implementation of this widespread policy that governs the
electronic transmission of health care information. HIPAA provides
broad guidelines for the protection of patient information that
must be interpreted for implementation. Covered entities targeted
by the statute are expected to develop HIPAA-compliant policies
that govern the treatment of protected health information in their
organizations and during transactions with contracted third
parties. The GAO report notes there is still much guidance to be
issued by USDHHS to assist these entities in complying with HIPAA
guidelines. This guidance will be created through USDHHS
rule-making authority and will be publicly available for comment
and feedback by affected organizations and the general public
during the rule-making process.
Case Analysis
This case demonstrates some of the major components of the
health policy concept. HIPAA is the result of public concerns about
the privacy of health care data. The electronic transmission of
data potentially involves disparate entities, persons, and
companies across a variety of states. This called for a federal
response because the federal government is responsible for
regulating interstate commerce. However, insurance, including
health insurance, is regulated at the state level as a part of
state responsibilities. This federal law, meant to address the
confidentiality of health data as it is transmitted electronically
across the country, is the result of a public process of
information exchange and negotiation among different levels of
government and a variety of interested parties. The rules and
regulations created by federal agencies tasked with implementing
this law are under continuous review as is expected with the
dynamic political processes that exist in the United States.
Please answer the following questions pertaining to the Case
Study.
Question 1: What does the phrase “covered entities” refer
to?
Question 2: How can the student nurse ensure they are
remaining HIPAA compliant when in a clinical setting?