HIPAA Privacy Rule Compliance is Now Required. What are the implications for your camp?
HIPAA is the acronym for the Health Insurance Portability and Accountability Act. This law, passed by Congress in 1996, helps to protect individual's rights to health coverage during events such as changing or losing jobs, pregnancy, moving, or divorce. It also provides rights and protections for employers when getting and renewing health coverage for their employees. HIPAA is NOT an insurance policy.
HIPAA contains a privacy rule (Standards for Privacy of Individually Identifiable Health Information). This rule gives patients greater access to their own medical records and more control over how their personal health information is used. The rule also addresses the obligations of health care providers and health plans to protect health information. By law, covered entities had until April 14, 2003, to comply.
The privacy provisions of the federal law apply to health information created or maintained by health care providers who engage in certain oral and electronic transactions, health plans, and health care clearinghouses.
For patients, it:
- Enables them to find out how their health information is used and disclosed
- Limits release of information to the "minimum reasonably needed" for disclosure
- Gives them the right to examine and obtain a copy of their own health records and request corrections
The HHS Office for Civil Rights (OCR) has implementation and enforcement responsibility for the Privacy Rule. The OCR has issued a series of guidance materials that answer some of the questions about the new protections for consumers and requirements for doctors, hospitals, and other providers. It also clarifies some of the confusion regarding the meaning of key provisions of the rule. The guidance and other technical assistance materials are posted on the OCR Privacy Web site at: www.hhs.gov/ocr/hipaa .
It is federally mandated that all of the US states and territories comply with HIPAA. Failure to comply with the Privacy Rule of HIPAA can lead to civil penalties up to $100 per person per violation and up to $25,000 per person for violations of a single standard for a calendar year and/or criminal penalties that can result in a $50,000 to $250,000 fine and one to ten years in jail for improper disclosure of individually identifiable health information.
So, What Does This Mean for Camps?
The rule acknowledges that healthcare providers (such as your camp) need access to information about the people for whom they provide care. Given a camp's need for health information - camper's and staff's health forms, submission of workers' comp claims, faxing a health form to a treating emergency room - there is need for the camp community to ensure they are meeting the requirements of the Rule.
What Should My Camp Be Doing?
When the law was first passed, ACA recommended the following to camps:
First, determine your camp's current way of handling protected health information (PHI). Remember to consider:
- Who receives completed health forms and who has access to those forms?
- Who of the kitchen staff are typically informed of health issues? Why are they told? Could that pool of people be more limited without jeopardizing safety?
- What health challenges are shared with cabin staff?
- Who in the specialized areas of camp - waterfront, ropes course, horseback riding, tripping, etc. - are told about health challenges? Why are they told?
- Under what circumstances does PHI leave camp? How is the privacy of that information monitored?
- What individuals have access to all and any PHI? Who has limited access and how is that access limited?
- When a person leaves camp - whether on a day trip or at the end of their camp session - how is their health history secured? Who makes decisions regarding the disposition of that information?
Second, talk with your legal counsel regarding "red flags" which surfaced as a result of reviewing this information.1
Hopefully, since this Rule went in to effect this April, you've already done these things! Several questions have come up that might be useful as you consider your specific situations:
1. How should we set up our policies to ensure quick treatment in a medical situation, yet preserve the intent of the privacy rule?
A: Your health form should include disclosure authorization for securing health care operations. In doing so, individuals - camp staff, campers and their parent/guardian - may request restrictions to a camp's disclosure policy and retain the right to revoke consent. For instance, language in your permission form could be modified to read: "I agree to the release of any records necessary for treatment, referral, billing, or insurance purposes..."
2. The Rule talks about providing only the "minimum necessary information." How do we deal with that at camp?
A: The Privacy Rule acknowledges that healthcare providers (such as your camp nurse or doctor) need free access to individual health information and in no way seeks to limit that access. In this situation, the rule directs entities to limit access to the minimum necessary or to that which is reasonable. What is meant by "minimal," "necessary," and "reasonable" is left to the discretion of the entity - camp, in your case. B