The Health Insurance Portability and Accountability Act of 1996 (HIPAA/PL104-191) became effective on April 14, 2001. Included the federal law is a "Health/Medical Information Privacy" section. This law applies to any "ENTITY" that use computers to transmit health claims information. "ENTITY" is defined as a "Health Plan" (HMO's, insurers, group health plans, employee benefit plans), Health Care Clearinghouse (an entity that processes health information going from a health care provider to a payer and certain Health Care Providers those who use computers to transmit health claims information). Covered health care providers must generally obtain the patient's consent prior to using or disclosing protected health information to carry out treatment, payment or health care operations. However, providers may condition treatment on patient's providing consent form. In addition, covered entities must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure or request for health information from another. This standard does not apply to treatment.
Individuals have a right to see and obtain a copy of their own health information, including documentation of who has had access to this information. There are also limited exceptions to when a patient can access their own information, such as when such access would endanger the life or safety of any individual. Nevada already statutorily grants a patient the right of access to his health records in the possession of health care providers, including physicians, hospitals and pharmacists. However, Nevada does not have a general, comprehensive statutory prohibition against the disclosure of confidential medical information. Individuals also have the right to request amendment or correction of health information that is incorrect or incomplete. Health plans and covered health care providers are required to provide written notice of their privacy practices, including a description of an individual's rights with respect to protected health information (such as the right to inspect and obtain a copy of health records) and the anticipated uses and disclosures of this information that may be made without the patient's written authorization. A covered entity may not condition the provision of services or payment on the receipt of the authorization.
Health information may be disclosed for a number of purposes without any patient authorization including, but not limited to: public health activities, research, and fraud investigations. For all other purposes (other than those listed), patient authorization is required. Covered entities can disclose protected health information without a patient's authorization only to researchers whose protocol has been reviewed and approved by an Institutional Review Board (IRB) or a "privacy board."
Only the use and disclosure of "protected health information" is covered. In order to be considered "protected health information" under the regulations, information must: (1) Relate to a person's physical or mental health, the provision of health care, or the payment of health care; (2) Identify, or could be used to identify, the person who is the subject of the information; (3) Be created or received by a covered entity; and (4) Which is transmitted or maintained in any form or medium. Covered entities may create and use "de-identified information," health information which has been stripped of elements that could be used to identify individual subjects.
