Privacy Rules and HIPAA at The University of Iowa
The University of Iowa has implemented new federal privacy rules aimed at providing more protection for health care information.
Congress passed legislation in 1996 known as “HIPAA”: the Health Insurance Portability and Accountability Act, which includes a number of health reform provisions. For example, one part of HIPAA helps patients transfer their health care insurance coverage when they change jobs (hence the title: “health insurance portability”). A major section of the law addresses concerns about patient privacy and the growing issue of electronic transmission of data. Across the country, there were concerns about
1) differences in state laws and the fact that there was no national standard for privacy protection of health care information;
2) the potential for health information to be shared and disclosed for commercial use without the patient’s authorization; and
3) the possibility that confidential health information could be used to discriminate against individuals with long-term chronic illnesses. Congress directed the Department of Health and Human Services to adopt Rules to implement the privacy provisions of HIPAA. These rules (the “Privacy Rule”) have recently gone into effect.
The most visible effect of the rule will be the distribution of “privacy notices”. The rules require that “covered entities”, which include health care providers, advise clients of the uses of their health care information and the rights of the clients with regard to that information. This means that the first time a patient visits a nurse practitioner, physician, clinic, pharmacy, hospital or other provider, the patient will receive a “privacy notice”. Since insurance companies and health plans are also “covered entities” most people will also have received a privacy notice in the mail from their health insurer.
The privacy notice, which is required by law, will describe the uses of “protected health information”, that is, what the covered entity does with the personal information that it has in its possession. As a general matter, the health care provider will use health information for purposes that include treatment, payment, and operations.
The notice will also describe the rights that each person has regarding his or her health care record. In general, each person has a right to confidentiality of protected health care information, as well as additional rights such as receiving a copy of the record, placing restrictions on who receives information about their health care, and amending the record if an error has been made. The notice also informs people how to contact the institutional privacy officers for information.
Another effect of the rules is the training requirement. University staff members whose work entails contact with patient information have undergone training in the Privacy Rule and the University’s policies and procedures.
The new rules establish a national standard for privacy protection. They give patients more assurances that safeguards are in place to protect health care information in an era when information can be transmitted widely and quickly through electronic means. Protecting the confidentiality of patient information is an element of excellent care and service and is integral to both compliance with the Privacy rule and the mission of the university.
HIPAA - Security Regulations Compliance Requirements
Administrative and technical requirements to ensure HIPAA regulation compliance:
Relevant Laws and Regulations
Understanding Health Information Privacy:
General information about the Privacy Rule:
HHS press releases, fact sheets and other press materials on HIPAA and the Privacy Rule:
Privacy Rule and Research:
Staff Benefits long form version of Privacy Notice:
University of Iowa Hospitals and Clinics Policies and Procedures: