|
What are the implications for your camp?
HIPAA is the acronym for the Health Insurance Portability and Accountability
Act. This law, passed by Congress in 1996, helps to protect individuals’
rights to health coverage during events such as changing or losing jobs,
pregnancy, moving, or divorce. It also provides rights and protections
for employers when getting and renewing health coverage for their employees.
HIPAA is NOT an insurance policy.
HIPAA contains a privacy rule (Standards for Privacy of Individually
Identifiable Health Information). This rule gives patients greater access
to their own medical records and more control over how their personal
health information is used. The rule also addresses the obligations of
health-care providers and health plans to protect health information.
By law, covered entities had until April 14, 2003, to comply.
The privacy provisions of the federal law apply to health information
created or maintained by health-care providers who engage in certain electronic
transactions, health plans, and health-care clearinghouses.
For patients, it:
- enables them to find out how their health information is used and
disclosed;
- limits release of information to the “minimum reasonably needed”
for disclosure;
- gives them the right to examine and obtain a copy of their own health
records and request corrections; and
- allows them to amend their health information if they believe it
is inaccurate.
The Health and Human Services (HHS) Office for Civil Rights (OCR) has
implementation and enforcement responsibility for the privacy rule. The
OCR has issued a series of guidance materials that answer some of the
questions about the new protections for consumers and requirements for
doctors, hospitals, and other providers. It also clarifies some of the
confusion regarding the meaning of key provisions of the rule. The guidance
and other technical assistance materials are posted on the OCR Privacy
Web site at: www.hhs.gov/ocr/hipaa.
It is federally mandated that all of the U.S. states and territories
comply with HIPAA. Failure to comply with the privacy rule of HIPAA can
lead to civil penalties up to $100 per person per violation and up to
$25,000 per person for violations of a single standard for a calendar
year and/or criminal penalties that can result in a $50,000 to $250,000
fine and one to ten years in jail for improper disclosure of individually
identifiable health information.
So, What Does This Mean for Camps?
Your camp is not automatically subject to HIPAA just because you provide
health care to campers. HIPAA only applies to health-care providers that
electronically engage in one or more specified electronic transactions.1
Those transactions are (among others that do not apply to directly to
health-care providers): submitting health-care claims for payment; making
inquiries to health plans about the status of health-care claims; making
inquiries to a health plan about a person’s eligibility for health-care
benefits; and, certifying and authorizing referrals to health-care providers.2
Simply completing a camper’s health form online or faxing a health form
to a treating emergency room is not enough to confer “covered entity”
status on a health-care provider. If your camp provides health care and
electronically engages in one of the foregoing transactions, you may be
a covered entity. For example, if your camp electronically bills a camper’s
health insurance for health-care services, you may be covered. However,
if your camp does not engage in these electronic transactions, you should
not be covered by HIPAA’s privacy rule.
What Should My Camp Be Doing?
Camps have legitimate and important uses for health information such
as providing emergency first aid and evaluating a camper’s ability to
engage in activities. However, all campers deserve to have their health
information kept confidential. Therefore, even if your camp is not directly
covered by HIPAA, you should still evaluate how your camp uses health
information and limit it to only to necessary uses. The steps outlined
in this article, while perhaps not legally required, are still good guidelines
to follow when handling campers’ health information.
If your camp is subject to HIPAA, you should have already taken steps
to comply. When the privacy rule was initially issued, the American Camping
Association (ACA) recommended the following to camps:
First, determine your camp’s current way of handling protected health
information (PHI). Remember to consider:
- Who receives completed health forms and who has access to those forms?
- Who of the kitchen staff are typically informed of health issues?
Why are they told? Could that pool of people be more limited without
jeopardizing safety?
- What health challenges are shared with cabin staff?
- Who in the specialized areas of camp — waterfront, ropes course,
horseback riding, tripping, etc. — are told about health challenges?
Why are they told?
- Under what circumstances does PHI leave camp? How is the privacy
of that information monitored?
- What individuals have access to all and any PHI? Who has limited
access and how is that access limited?
- When a person leaves camp — whether on a day trip or at the end of
their camp session — how is their health history secured? Who makes
decisions regarding the disposition of that information?
Second, talk with your legal counsel regarding “red flags” which surfaced
as a result of reviewing this information.3
Hopefully, since this rule went in to effect this April, you’ve already
done these things! You should also have developed written policies and
procedures to safeguard health information, provided notice to campers
regarding how you will use their health information, and trained your
staff about privacy.
Important Questions
Several questions have come up that might be useful as you consider your
specific situations:
- The rule talks about providing only the “minimum
necessary information.” How do we deal with that at camp?
The Privacy Rule acknowledges that health-care providers (such as your
camp nurse or doctor) need free access to individual health information
and in no way seeks to limit that access. In this situation, the rule
directs entities to limit access to the minimum necessary or to that
which is reasonable. What is meant by “minimal,” “necessary,” and “reasonable”
is left to the discretion of the entity — camp, in your case. Because
of this, the scope of what a given camp discloses may vary from other
camps but, in all cases, only the minimum should be relayed. Thus, for
your camp, the camp nurse or doctor has free access to health forms;
camp staff generally would not. It should be noted that this Rule does
not apply only to written documents — it also refers to oral communication
about health information. In camps, we often use oral communication
to convey health information about people at camp. This rule directs
us to provide “reasonable safeguards” so oral information is limited
only to those who need to hear the information. For example, the camp
nurse may talk with a cabin counselor about a camper’s care but would
do so in a setting which limits — if not eliminates — who else listens
to that conversation. Camps should also review screening practices of
Opening Day to evaluate who is hearing what about whom during the process.4
- What if we need to refer a camper or staff
to an out-of-camp provider such as clinics, hospitals, dentists, and
chiropractors?
The camp may freely release a camper’s health information to an out-of-camp
health-care provider if it is doing so to further the health-care treatment
of a camper. The health-care provider who receives the information has
obligations to maintain the confidentiality of the information, too.
- My campers and some staff are minors, what
does the rule say about protecting their health information?
The Privacy Rule recognizes a parent/guardian as the representative
of a minor. Consequently, the parent/guardian can sign statements of
authorization in the child’s name. In addition, the rule also recognizes
another person acting in loco parentis. This is a position that most
camps assume with regard to campers.
- With all that is going on in the world, what
are the HIPAA implications if public officials approach my camp and
want information if they are responding to a bioterrorism threat? Is
my camp medical staff permitted to disclose protected health information?
Yes. The rule recognizes that various agencies or public officials will
need protected health information to deal effectively with a bioterrorism
threat. You can disclose protected health information, without the individual’s
authorization, to a public health authority acting as authorized by
law in response to a bioterrorism threat or public health emergency
(see 45 CFR 164.512(b), public health activities). The privacy rule
also permits a covered entity to disclose protected health information
to public officials who are reasonably able to prevent or lessen a serious
and imminent threat to public health or safety related to bioterrorism
(see 45 CFR 164.512(j), to avert a serious threat to health or safety).
In addition, disclosure of protected health information, without the
individual’s authorization, is permitted where the circumstances of
the emergency implicate law enforcement activities (see 45 CFR 164.512(f));
national security and intelligence activities (see 45 CFR 164.512(k)(2));
or judicial and administrative proceedings (see 45 CFR 164.512(e)).5
What Resources Are Available to Me?
HIPAA Privacy & Security Resource Kits: The following Web sites are
just a few of the many resources that a health-care provider might consult
to conduct a HIPAA privacy and security risk assessment and generate an
implementation plan. ACA does not specifically endorse these, or any other,
HIPAA consulting service.
Information compiled by ACA staff, based on guidance provided by ACA’s
legal counsel, Ice Miller, Indianapolis, Indiana.
Originally published in the 2003 Spring issue
of The CampLine.
|
