HIPAA Preserving privacy of health information under HIPAA regulations The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) authorized the Department of Health and Human Services to adopt regulations to require certain health providers to limit the use and disclosure of protected health information. The regulations became effective on April 14, 2003.

The regulations are lengthy, intricate and complex. They impose very specific and detailed requirements on “covered entities,” including the furnishing of written notices of privacy practices to patients and obtaining agreements with patients restricting disclosure of protected health information.

First of all, in section 1173 (a) of the Act Congress provided that the regulations to be adopted shall govern the “electronic exchange” of “financial and administrative transaction,” a term defined to mean health claims, enrollment and dis-enrollment in a health plan, eligibility for a health plan, health care payment and remittance advice, health plan premium payments, health claim status and referral certification and authorization.

The regulations are set forth in Title 45 of the Code of Federal Regulations. 45 CFR Sec. 164.104 provides that the regulations apply to “covered entities” which
are defined as: “ . . . health plans, health care clearinghouses, and health care providers who transmit health information in electronic form in connection with any transaction referred to in section 1173 (a) (1) of the Act (i.e., a financial or administrative transaction.”

The type of financial transaction covered by the regulations does not appear to include, for example, a transmission of an eyeglass prescription from one provider to another or an order transmitted by an eye care provider to an optical laboratory.

45CFR sec. 162.103 defines “electronic media” as follows:

“Electronic media means the mode of electronic transmission. It includes the Internet (wide-open), Extranet (using Internet technology to link a business with information only accessible to collaborating parties), leased lines, dial-up lines, private networks, and those transmissions that are physically moved from one location to another using magnetic tape, disk, or compact disk media.”

In view of this definition, the transmission of information by fax or telephone does not qualify as an electronic exchange. If there is no electronic exchange or transmission, the healthcare provider does not qualify as a “covered entity” and is not subject to the provisions of the Act.

However, if a health provider qualifies as a “covered entity” (i.e., it in some cases transmits health information in financial transactions in electronic form), that entity apparently may not use or disclose protected health information in any form or medium – electronic or otherwise – without complying with the privacy requirements of the regulations.

It appears that opticians will not be required to do much more than we do now. You must keep you records in a secure place, where the public cannot access them. If
you have computers at the dispensing table, you must clear the screen when you leave the computer and ha a password to get back into the system. You must never
leave records on a dispensing table where other patients may see them. Information that must be secure is the social security number, telephone number address and health information. You are not required to get your lab to sign a business associate prescription transferred to another dispensary. The above information was gathered by several sources and does not constitute
legal advice. We hope that the information in this packet will help you determine your place within the HIPAA requirements.