HIPAA regulations have instituted several processes that safeguard your Protected Health Information (PHI). These processes include new procedures at your provider's office, establishing who healthcare providers can speak to regarding your health and new security standards to better secure your PHI.
Your Provider's Office & You
Have you visited your doctor lately? Does the sign-in sheet no longer contain the reason why you're there? Is the office assistant more quiet when speaking with you? Do they close the door to the examining room? Have they stopped leaving lab results on your voice mail or with a family member?
The answer to all of the above should be yes. As a result of the HIPAA Privacy regulations, doctors and other medical providers are required to institute processes to safeguard your protected health information or PHI. PHI consists of all your personal contact and medical records such as mailing address, health status, medical history, medications, and so on.
The days are gone when the nurse will blurt into the waiting room the directions to your new medications or how long you've had "x" problem. Some doctors have even gone as far as requiring you to make a follow-up visit for lab results to better ensure your privacy.
Unfortunately, some medical practices have not instituted these policies. There have been horror stories of nurses coming into the waiting room to announce the results of a patient's STD test while the waiting room is full. Imagine the possibilities of your eight year old listening to the answering machine only to hear a message from the doctor congratulating the child's mother on her pregnancy — and the mother had no idea she was pregnant. Finally, you probably wouldn't appreciate a neighbor, who works at a hospital, looking in the system to learn that you were undergoing chemotherapy, just because she was curious as to why you were in the hospital.
Fortunately, since the implementation of the Privacy Rule, these cases have been few and far between. The rule was designed to keep the scenarios described above from happening. And, for the most part, doctors and their staffs have been more careful.
A/P Vs P/R: Which One Do I Use?
You may have heard that along with your new Privacy rights comes the ability to establish an Authorized Person or a Personal Representative. You may be asking yourself: what are these two, what is the difference, and when should I use them? This article hopes to help you answer these questions, which, in turn, will help you with managing your health care.
Authorized Person (A/P): An A/P is someone you assign to help communicate with your health care company. They can receive answers to basic medical and benefits questions, such as coverage and claims status. This is usually a spouse or adult child who may be either helping to manage your affairs or just someone you ask to help deal with matters from time to time. An A/P is unable to make decisions on your behalf, change information with your health plan or provider, or have say in your health care. Someone with those additional rights have been granted status as a Personal Representative.
Personal Representative (P/R): A P/R is someone designated to manage your health care. This person usually possesses a legal power of attorney or similar legal rights to make decisions on behalf of the individual. A P/R can make requests or changes as though customer service was speaking with the member on the phone.
There is a significant difference between A/P and P/R. It is very important that you know the difference so that you can make the appropriate decisions. For instance, do you want your 22 year-old to just make inquiries, because it is difficult to call customer service or do you want your child to have full decision-making rights? Of course, before approving a P/R, most health plans do require legal documentation before processing a P/R request. So it is a little more difficult to establish a P/R. And, that's to protect you.
While, hopefully, this article has been helpful, you should consult with your health plan, provider, or personal lawyer. They could provide further guidance on which is the most appropriate route to take if you are not certain.
Why Is Security Needed When You Have Privacy?
Many health care industry professionals have asked, "Didn't we implement Security when we implemented the Privacy Rule? So, why do we have a separate Security Rule?"
Well, while there were elements of security within the Privacy Rule there are also sections that differentiate the two.
The Privacy Rule focuses on the safeguarding of all forms — paper and electronic — of Protected Health Information (PHI) and makes the industry accountable for intentionable disclosures of the PHI.
The Security Rule, on the other hand, protects the systems that manage Electronic Protected Health Information (ePHI). EPHI consists of PHI stored on a computer system or transmitted electronically. It does not include paper, faxes, voice mail, etc.
Under the Security Rule, most organizations add new auditing and monitoring measures to ensure that the data remains confidential and that only authorized employees access your PHI. It also enhances access controls to include role-based access (only accessing data as deemed appropriate for your job) and improves the security of the company's physical assets (i.e. computers, buildings).
So, while many health plans implemented security measures during the Privacy Rule roll-out they were doing so for two reasons: a) it was a good business decision and b) they were proactively implementing the Security Rule.