Although the Health Insurance Portability and Accountability Act (HIPAA) was first passed into law by Congress in 1996, many are still contending with the massive scope of the legislation and the many organizations that have obligations under this law, even those who are not healthcare providers, hospitals, or health plans.
HIPAA is the first federal law to address health privacy in a comprehensive way. HIPAA can be separated into three general areas: electronic transactions, privacy, and security. At this time, only the regulations related to the electronic transactions and privacy areas have been finalized.
The HIPAA Privacy Rule covers all identifiable information or personal health information (PHI) about a patient that is transferred to or maintained by a healthcare provider, including e-mail, electronic, fax, paper, oral, and voice mail records, as well as phone conversations. HIPAA rules protect the information itself, not the record in which the information appears. In other words, information does not lose its protection simply because it is stored in or printed from a computer.
Even at this late date, much confusion exists in all industries regarding compliance requirements, who must comply, and who need not worry about compliance. Most healthcare organizations must comply with HIPAA’s Privacy Rule by April 14, 2003, but many other organizations, including a large number of employers, also will be affected by this rule. In fact, HIPAA’s Privacy Rule will impact, at least indirectly, all organizations in some way.
Therefore, records and information management (RIM) professionals must know what the HIPAA Privacy Rule entails and be prepared to comply with its rules and regulations. Even if an organization is not a healthcare-related organization and does not have to comply with HIPAA, it still should implement a privacy policy and actions for handling information correctly and protecting it from inappropriate use.
