Notice of Privacy Practices

The Basics of HIPAA

What is HIPAA?

As part of our promise at South Peninsula Hospital to give our patients the highest quality health care, we have always kept information about their health confidential, sharing it only with people who need the information to do their jobs. And now not only is it our promise, it is the law. The Privacy Rule ensures that personal medical information you share with doctors, hospital and others who provide and pay for healthcare is protected. The Health Insurance Portability and Accountability Act of 1996, or "HIPAA" for short gives patients the right to gain access to their records, request amendments to their health information, and limit the ways the facility uses their information. Alaska state law already provides some of these rights, but HIPAA makes them a federal mandate for the first time.

What brought about this law?

HIPAA is a broad law that covers a variety of issues. One goal was to enable people to easily move from one health insurance plan to another as they change jobs or become unemployed and allow providers treating patients to share information more easily. The law requires health care providers and payers to use standard formats for common transactions such as submitting an insurance claim on a patient’s behalf. Today, with e-mail and access to the Internet, it is much easier for providers to share records, but it is also much easier for people to misuse the information they contain. That’s why the law includes sections with requirements for protecting patient privacy and confidentiality and ensuring security of health information.

What is considered Protected Patient Information?

Protected patient information (PHI) includes all identifying information patients provide and information about their treatment, including the following: name; address; age; social security number; diagnosis; medical history; medications; billing information; and physician’s personal notes maintained by a covered entity, regardless of form, written, oral or electronic.

What is Minimum Necessary?

HIPAA requires health care employees to use or share only the “minimum necessary” information they need to do their jobs effectively. Covered entities must develop policies and practices to make sure the least amount of health information is shared. Each employee must be identified who regularly access PHI along with the types of PHI needed and the conditions for access. The minimum necessary requirement does not apply to treatment. Clinical staff can look at their patient’s entire record and freely share information with other clinicians caring for that patient.

When is Authorization Required?

The Privacy Rule requires a signed authorization from the patient to use or disclose their PHI for purposes other than treatment, payment or healthcare operations. An authorization must be written in specific terms. It may allow use and disclosure of PHI by the covered entity seeking the authorization or by a third party. The authorization must include:

• A description of the PHI to be used/disclosed, in clear language
• Who will use/disclose PHI and for what purpose
• Whether or not it will result in financial gain for the covered entity
• The patient’s right to revoke the authorization
• A signature from the patient/legal guardian whose records are used/disclosed, and a date of signing
• An expiration date.

What are the consequences for not complying?

Breaking HIPAA’s privacy or security rules can bring civil or criminal penalties. Civil penalties are fines of up to $100 for each violation of the law per person to a limit of $25,000 for each identical requirement. Criminal penalties can include not only legal fines, but also jail time. The penalties increase with the seriousness of the offense. These penalties can be as high as a $250,000 fine or a prison sentence up to 10 years. HIPAA protects our patient’s fundamental rights to privacy and confidentiality. At SPH the Privacy Rule is everyone’s business, from the CEO to the healthcare professional to the maintenance staff.