Workplace Confidentiality and the HIPAA Privacy Rule

Not too long ago there were several news stories that came out of the Southern California area about health care providers - in most cases, nursing personnel - who accessed and shared private health information about celebrities who were visiting their medical facility.

The Health Insurance Portability and Accountability Act (HIPAA), also called the Privacy Rule, is a federal law that provides you with the right to control your personal health details by setting rules and limits on who can look at and receive your health information. Here's what that means to you.

HIPAA Overview

Most people don't even realize that the HIPAA Privacy Rule is overseen by the U.S. Department of Health and Services and enforced by the Office for Civil Rights. It protects the privacy of "individually identifiable health information." That means health information (be it medical, dental or mental) that can be directly attributed to you. So this includes:

• Information your health care providers place in your medical record
• Conversations your health care providers have about your care and treatment
• Details about your health care in your health insurer's computer
• Billing information related to your health
• And pretty much any other health information obtained by those who must follow this law

The intent is to protect you from indiscriminate disclosure and sharing of your health information with people who just don't have a need to know. Entities covered by HIPAA include:

• Health plans: health insurance companies, HMOs, company health plans, and certain government health plans such as Medicare and Medicaid.
• Health care providers: doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies and dentists
• Health care clearinghouses: firms that process non-standard health information received from another

However, there are also organizations that may have your health information, but do not fall under this law. These include:

• Life insurers
• Employers
• Workers' compensation carriers
• Many schools and school districts
• Many state agencies
• Many law enforcement agencies
• Many municipal offices

Keep in mind, however, that even though a particular organization is not covered by this law, they cannot obtain your health information directly without your authorization because your health care provider must comply with HIPAA.

Why You Need to Understand HIPAA

Understanding your rights under HIPAA is an important step in protecting your personal health information. You have a right to:

• See and get copies of all your health records and information. Though in some circumstances a doctor can withhold information if he or she deems it might endanger you or someone else.
• Have corrections added to your health information or changes of wrong or incomplete information added to your file. For example, the result of a test.
• Receive a notice of when and how your health information is used and shared.
• Decide whether or not to give your permission to have your health information used and shared.

How Employers are Impacted by HIPAA

A primary goal of HIPAA is to ensure that your health information is properly protected without impeding the flow of information that is needed to provide quality care while protecting the public's health and well being.

While most employers are not covered entities, many administer health plans that are covered by HIPAA regulations and, therefore, they must make sure these plans are HIPAA compliant. In addition, employers may be a covered entity if their health plan is self-insured or if health benefits are administered internally.

HIPAA does not prevent an employer from asking an employee for a doctor's note in order to administer programs related to sick leave, workers' compensation, wellness or health insurance. However, if employers ask health care providers for information about employees, health care providers cannot disclose information without employee consent and authorization. And while HIPAA doesn't protect employment records, even if there is health-related information contained in those records, the information may only be used for the purposes expressly stated in the authorization that has been provided to the physician.

For more information and a complete overview of the Health Insurance Portability and Accountability Act be sure to visit the U.S. Department of Health and Human Services or talk to your human resources department or health care provider.