Introduction

In our society today, healthcare is ever changing and evolving. Computer-based patient records,
videoconferencing, electronic mail, and telehealth are just a few of the practices that have
become common in the delivery of care (Follansbee, 2002, p.42). This paper will focus on one
such change, the Health Information Portability and Accountability Act of 1996 (HIPAA) and
how it may affect healthcare as we know it.
In August of 1996, Congress passed the Kennedy-Kassenbaum bill, which became Public Law
104-191, and more well-known as the Health Information Portability and Accountability Act of
1996 (HIPAA). According to Maheu et al. (2001), HIPAA called for protections of the privacy
of medical information and was designed to improve the portability and continuity of health
insurance coverage through simplification by the Congress and the Department of Health and
Human Services (p.171). Richard Antognini (2002), an attorney, wrote that HIPAA was
lengthy legislation whose main goal was to enable employees to keep health insurance coverage
when they changed jobs. Buried in the act, however, was a section that related to the protection
of the privacy of individuals health information (p.296).
Background
This was not Congress first attempt to legislate medical records privacy. Previous attempts
included the Individual Privacy Act (1974), the Fair Health Information Practices Act (1995),
and the Medical Records Confidentiality Act (1995). Unfortunately, none of those bills were
passed (Hebda et al., 2001).
Congress gave itself three years to pass legislation guaranteeing the privacy of health
information. If it did not do so, the Secretary of Health and Human Services (HHS) was
authorized to draft and enact regulations toaccomplish this task. Needless to say, Congress did
indeed fail to enact health privacy laws by 1999, the deadline set under HIPAA (Antognini,
2002).
Body
HIPAA is a very large and complex act, with many sections. This paper will attempt to describe
those sections and inform the reader on how changes enacted due to HIPAA will affect health
care in general. There is one section titled Administrative Simplification, which contains
provisions intended to standardize electronic transmission of health care information and reduce
associated costs and administrative burdens (Maheu et al., 2001, p. 172). According to
Follansbee (2002), The standardization of electronic data interchange, the protection of the
confidentiality, and the security of health data will determine and enforce standards for the
transfer of e-health information (p. 44). The deadline for this section was October 16, 2002, but
any organization that applied for an extension automatically received another year.
HIPAA also has a section regarding privacy. According to the Department of HHSs website
(www.hhs.gov/ocr/hipaa), HIPAAs final Privacy Rule was published December 20, 2000, with
the rule becoming effective April 14, 2001. Covered entities (certain health care providers, health

plans, and health care clearinghouses) and their business associates (such as vendors) are not
required to comply with the HIPAA Privacy Rule until the compliance date of April 14, 2003. Of
course, they may do so voluntarily before that date, if they wish.
The HIPAA Privacy Rule was enacted to establish a minimum standard to which all states
must conform. By definition, the minimum standard is a federal floor of safeguards set up to
protect the confidentiality of medical information. Included is the underlying principle that
health care plans follow a policy of minimum disclosure when using or disclosing medical
information in all areas of operation (Wang, 2002). As with most rules and regulations, state or
local laws that provide stricter privacy protection will continue to apply over and above this
federal policy.
Noncompliance with HIPAA standards could result in severe fines. Civil penalties range from
$100 (per person per violation) to a maximum of $25,000 per year. Criminal acts for obtaining
and disclosing personal health information (PHI) may incur a $50,000 fine and one year in
prison. When PHI is obtained under false pretenses, the penalties increase to $100,000 and five
years in prison. Finally, anyone caught obtaining PHI with the intent to sell, transfer or use it for
commercial advantage, personal gain or malicious harm, may face penalties of $250,000 and ten
years in prison (Wang, 2002).
The Privacy Rule dictates that a security official be appointed within the covered entity. This
person is responsible for developing and implementing privacy procedures. The security official
will oversee the complaint process and provide information and training to participants and
employees (Wang, 2002). Maheu et al. (2001) state that the security officials should be familiar
with the technical operations of the organization. They should also be able to manage other
personnel and interact with representatives of other companies, such as vendors (the covered
entities business associates) (p.173). They further state that a risk assessment should be
conducted to determine the organizations needs, related to compliance.
It is recommended that the security official do a few things in preparation for HIPAA. First,
create an information security (IS) department and educate that department in depth on the
details of the act. Then, use the IS staff to conduct a thorough review of the current systems and
procedures. This will allow them to identify any changes, including system changes, that need to
be made. After a plan is developed, all staff need to be updated on the changes that will be taking
place and the reasons as to why these changes will occur) why (Hebda et al., 2001).
In addition, the security official should evaluate all security measures currently in place,
especially involving computer workstations. (Several questions to be addressed) Some things
to consider are what kind of data is stored on personal computers (PCs)? Is this patient or
personal data? Are the workstations secure? Do they require a unique sign-on for each user or
can anyone access them? Is there a system to automatically log-off a user after a certain amount
of time? (For instance, what happens if there is an emergency and the user is called away from
the terminal?). Is the network protected? Are their adequate firewalls in place? Lastly, how are
paper printouts disposed of? Are they just thrown in the trash or are they placed in locked bins to
be shredded or destroyed so that no personal information can be obtained from them?

A covered entity must remember that the primary focus of HIPAA is a patients right to his or
her medical information. That covered entity must provide an easy to understand notice to all
affected patients. This notice must explain how the patients personal health information can be
used, and how to request, access, or amend that information (Wang, 2002).
A patient also has the right to access his or her personal health information (PHI). Upon request,
a covered entity must provide an accounting of the health information uses and disclosures for
the past six years of service (Wang, 2002, p.64). Wang further adds, The accounting must be
provided free of charge the first time in any 12-month period; a reasonable fee may be imposed
afterward. The entity has thirty days to inform the person and provide access, or give a reason for
denial (p.64). Psychotherapy notes and information compiled in anticipation of a lawsuit (or
administrative action) are exempted from this rule.
Conclusion
In conclusion, the explosion of computers and new technology has already changed the way that
health care is practiced. Follansbee (2002) adds, HIPAA will influence the direction of these
practices so that the practitioner and the patient can achieve the best possible outcomes (p.44).
Without a doubt, the public is concerned about medical privacy. A recent Gallup poll conducted
by the Institute of Freedom (available at
http://www.forhealthfreedom.org/Publications/Privacy/NR20000926.html) found that an
overwhelming majority of Americans disapprove of third parties having access to their medical
records without their consent. Seventy-eight percent of respondents in that survey were adamant
that their medical records should remain confidential. It also found that eighty-two percent of the
participants strongly objected to the ideal of insurance companies gaining access to their
personal records without specific permission ( Institute of Freedom, 2002).
The use of technology in health care continues to grow at an unbelievable rate. Along with this
technology come many opportunities and concerns. That is where HIPAA steps in to assist
nursing with these issues and concerns and in the provision of confidential patient care. HIPAA
compliance is a goal that requires extraordinary focus and determination, and one that will not be
accomplished easily. Follansbee (2002) ends by saying, Since the impact of HIPAA will change
the way health care is practiced both now and in the future, there is a clear directive to
understand issues and consequences regarding noncompliance (p.47).
HIPAA will have an effect on nearly everyone in one way or another. It affects health care
providers by making them more aware of how personal information is stored and made available.
It affects institutions, such as hospitals, by levying fines if measures are not taken toward
compliance of this act. Lastly, it affects any individual who has been or may be a patient in the
health care arena. So, HIPAA truly affects everyone.
References

Antognini, R. (2002). The law of unintended consequences: HIPAA and liability insurers.
Defense counsel journal, 69(3), 296. Retrieved January 11, 2015, using EBSCOhost academic
search at http://www.apollolibrary.com
Department of Health and Human Services website, available at http://www.hhs.gov/ocr/hipaa
Follansbee, N. (2002). Implications of the health information portability and accountability act.
Journal of nursing administration, 32(1), 42-47. Retrieved January 11, 2015, from
http://www.apollolibrary.com:2235/ovidweg.cgi
Institute for Health Freedom (2002). Gallup survey finds Americans concerns about medical
privacy runs deep. Retrieved January 11, 2015, from
http://www.forhealthfreedom.org/Publications/Privacy/NR20000926.html
Maheu, M., Whitten, P., & Allen, A. (2001). E-health, telehealth, and telemedicine: A guide to
start-up and success. New York: Jossey-Bass, Inc.
Wang, L. (2002). The privacy rule: HIPAA standards for the privacy of individually identifiable
health information. Employee benefits journal, 27(3), 59-63. Retrieved January 11, 2015, using
EBSCOhost academic search at http://apollolibrary.com