Health Insurance Portability and Accountability Act (HIPAA) of 1996

HIPAA establishes federal standards protecting sensitive health information from being disclosed without a patient’s consent. Two key aspects of HIPAA are the Privacy Rule and the Security Rule.

• The Privacy Rule

  • Addresses the use and disclosure of individuals’ protected health information (PHI) by covered entities.

  • Contains standards for individuals’ rights to understand and control how their health information is used.

  • There are circumstances where the law permits covered entities to disclose protected health information. Learn more here. And here.

  • Applies to all individually identifiable health information held or transmitted by a covered entity in any form, whether electronic, oral, or written.

 

• The Security Rule

  • Protects a subset of information covered by the privacy rule which includes all individually identifiable health information that a covered entity creates, receives, maintains, or transmits electronically. 

  • Does not apply to personal health information that is transmitted orally or in writing.

• Covered entities are permitted to use and disclose PHI without an individual's consent for the following limited purposes:

  • To the individual

    •  A covered entity may disclose protected health information to the individual who is the subject of the information.

  • Treatment, payment, and healthcare operations

    • A covered entity may use and disclose protected health information for its own treatment, payment, and health care operations activities.

  • Opportunity to agree or object

    • Informal permission may be obtained by asking the individual outright, or by circumstances that clearly give the individual the opportunity to agree or object. 

  • Incident to an otherwise permitted use and disclosure

    • The Privacy Rule does not require that every risk of an incidental use or disclosure of PHI be eliminated. A use or disclosure of PHI that occurs as a result of an otherwise permitted use or disclosure is permitted as long as the covered entity has adopted reasonable safeguards as required by the Privacy Rule, and the information being shared was limited to the "minimum necessary," as required by the Privacy Rule.

  • Public interest and benefit activities

    • The Security Rule permits use and disclosure of protected health information, without an individual's authorization or permission, for 12 national priority purposes:

      • When required by law. 

      • For public health activities, such as preventing or controlling disease and FDA regulation.

      • In certain circumstances, regarding victims of abuse, neglect, or domestic violence.

      • For purposes of legally authorized health oversight activities, such as audits and investigations.

      • In a judicial or administrative proceeding if the request for information is through an order from a court or administrative tribunal.

      • For law enforcement purposes (1) as required by law, (2) to identify and locate a suspect, fugitive, material witness, or missing person, (3) in response to a law enforcement official’s request for information about a victim or suspected victim of a crime, (4) to alert law enforcement of a person’s death if it is suspected that criminal activity caused the death, (5) when it is believed that PHI is evidence of a crime that occurred on a protected entity’s premises, (6) in a medical emergency when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime/victims, and the perpetrator of the crime. 

      • To funeral directors and coroners or medical examiners to identify a deceased person, determine cause of death, and perform other functions authorized by law

      • To facilitate organ donation and transplantation.

      • For research purposes, under specific guidelines. More details here.

      • To prevent or lessen serious and imminent threats to a person or the public.

      • For essential government functions, such as the execution of a military mission, conducting intelligence/national security activities as authorized by law, providing protective services to the President, making medical suitability determinations for U.S. State Department employees, protecting the health and safety of inmates or employees in a correctional facility, and determining eligibility for/conducting enrollment in certain government benefit programs.

      • To comply with workers’ compensation law and other programs providing benefits for work-related injuries or illnesses.

  • Limited data set for the purposes for research, public health, or healthcare operations, providing that the recipient of the data enters into a data use agreement promising specified safeguards for the included PHI.

    • A limited data set is protected health information that has had direct identifiers of individuals removed like their relatives, household members, and employers.

  • Any additional reasons described in a Notice of Privacy Practices.

Pennsylvania Bill of Rights for Patients. Title 55, Chapter 5100 of the Pennsylvania Code

• States the following rights for patients in PA:

  • You have a right to be treated with dignity and respect.

  • You shall retain all civil rights that have not been specifically restricted by court order.

  • You have the right to unrestricted, private communication inside and outside the healthcare facility.

  • You have the right to practice the religion of your choice or to abstain from religious practice.

  • You have the right to keep personal possessions, unless they are determined to be contraband. The reasons and scope of restriction for any items being prohibited must be clearly defined, recorded, and explained.

  • You have the right to handle your personal affairs.

  • You have the right to participate in the development and review of your treatment plan.

  • You have the right to receive treatment in the least restrictive setting necessary to accomplish treatment goals.

  • You have the right to be discharged from the facility as soon as you no longer need care.

  • You have the right not to be subjected to any harsh or unusual treatment.

  • You have the right to be discharged from any facility if you have been involuntarily committed in accordance with civil court proceedings, are not receiving treatment, are not a danger to yourself or others, and can survive safely in the community.

  • You have a right to be paid for any work you do which benefits the operation and maintenance of the healthcare facility.

The No Surprises Act of 2022

• If you have insurance:

  • The No Surprises Act is a federal law that applies to most types of health insurance and protects you from out-of-network medical bills, such as ER expenses and non-emergency, out-of-network care related to a visit to an in-network provider.

• If you have no insurance or are underinsured:

  • Providers must give you a “good faith estimate” of what your care will cost. You can get this upon request and/or when you schedule treatment at least three days in advance. You will not receive an estimate during emergency care. You may be able to dispute your bill if it is $400+ the estimate you were provided.

The Patient Protection and Affordable Care Act (ACA) of 2010

• Three primary goals:

  • Make health insurance more affordable and available to more people. 

  • Expand the Medicaid program (varies by state)

  • Support innovative medical care delivery methods designed to lower the cost of healthcare.