Add To Cart


Section 6
Getting on Board with HIPAA Privacy Regulations

Question 6 | Test | Table of Contents

HIPPA in a nutshell
HIPAA establishes a mandatory procedure for implementing uniform minimum patient privacy standards from state to state. Its main goal is to protect the privacy of patients' individually identifiable health information.

What operating procedures will your facility need to update to comply with HIPAA's privacy regulations? Activities related to the following three standards will most likely require revision:

Standard one: This set governs the proper use and disclosure of personal health information (PHI) by the facility, its workforce, and certain business associates such as lawyers, auditors, consultants, and other third parties who handle PHI. Depending on your state's current laws governing medical or health records, this first set may or may not require a significant number of changes.

Standard two: This set allows patients to request access to their PHI, request reasonable amendments to it, and receive an annual written report of all of the facility's uses and disclosures of their PHI that they didn't authorize in writing. A facility must also provide patients written notice of its privacy practices by the April 14 deadline, with the understanding that a patient may require certain restrictions regarding disclosure of PHI to certain third parties such as family members.

Standard three: This set requires facilities to complete several administrative tasks, including appointing a privacy officer, making the various written changes to its operating procedures, educating its workforce about these changes, and establishing an effective method for patients and others to communicate complaints, questions, and concerns about its privacy practices.

What, specifically, does PHI include? A true change catalyst?
Because these new regulations will enable the Department of Health and Human Services' Office of Civil Rights to impose civil and criminal penalties for the wrongful disclosure of PHI, health care providers and others affected by the act will work quickly to update their operating procedures before HIPAA's compliance date.

What types of civil and criminal penalties could a facility incur if its personnel fail to comply with these regulations?
To view a complete copy of HIPAA's final regulations, recently proposed amendments, and other useful information, visit the Web site of the U.S. Department of Health and Human Services at

Information appearing in Legal checkpoints is general and not meant to give precise legal advice. Always refer specific situations to your facility's legal representation.

What’s "individually identifiable health information"?
This term covers information that health care providers and insurance plans transmit or maintain.

What does personal health information (PHI) include?
When we think of PHI, medical or health records come to mind. But HIPAA broadly defines PHI to include any health information that a covered entity (health care provider and insurer, public health authority, employer, life insurer, academic institution) creates or receives in any medium. The information must relate to an individual's physical or mental condition, the care he received, or how he paid for care. It must also identify the person or create the possibility that someone could use the information to identify that person.

What types of civil and criminal penalties could a facility incur if its personnel fail to comply with these regulations?
Improper use or disclosure of PHI could result in civil monetary penalties of $100 per incident, or as much as $25,000 per person, per year, per standard. Because certain criminal violations qualify as a felony, criminal penalties can range from $50,000 to $250,000 and up to 10 years in prison. The severity of criminal penalties makes them a serious consideration in ensuring a facility complies with the regulation's many standards at all points of operation.

Consider this
U.S. health care: Limited access?
In the past few decades, the overall health of the American population has improved; however, disparities in the health of minority populations still exist. Data reveal that about 30% of Hispanics and 20% of African Americans lack a usual source of health care, compared with less than 16% of Caucasians. To properly address the racial and ethnic inequities surrounding health care access, organizations such as the Agency for Healthcare Research and Quality (AHRQ) conduct research to identify disparities in health and the cultural factors behind them. According to the AHRQ:

• Cancer mortality rates are 35% higher for African Americans than for Caucasians.
• African American diabetics are 7 times more likely to have amputations and develop kidney failure than Caucasian diabetics.
• African Americans are 13% less likely to undergo coronary angioplasty and 1/3 less likely to undergo bypass surgery than Caucasians.
• Among preschool children hospitalized for asthma, only 7% of African Americans and 2% of Hispanic children, compared with 21% of Caucasian children, receive routine medications to prevent future asthma-related hospitalizations.
• The length of time between an abnormal screening mammogram and the follow-up diagnostic test to determine whether a woman has breast cancer is more than twice as long in Asian American, African American, and Hispanic women as in Caucasian women.
• African Americans with HIV infection are less likely to be on antiretroviral therapy, less likely to receive prophylaxis for Pneumocystis pneumonia, and less likely to receive protease inhibitors than other persons with HIV.
• Asian American, Hispanic, and African American residents of nursing homes are significantly less likely than Caucasian residents to have sensory and communication aids, such as glasses and hearing aids.

Ziel, Susan; Get on board with HIPAA privacy regulations; Nursing Management; Oct 2002; Vol. 33; Issue 10.

Personal Reflection Exercise #2
The preceding section contained information about getting on board with HIPAA privacy regulations.  Write three case study examples regarding how you might use the content of this section in your practice.

Health Records Database and Inherent Security Concerns:
A Review of the Literature

Basil, N. N., Ambe, S., Ekhator, C., & Fonkem, E. (2022). Health Records Database and Inherent Security Concerns: A Review of the Literature. Cureus, 14(10), e30168.

Peer-Reviewed Journal Article References:
Douglas, S., Jensen-Doss, A., Ordorica, C., & Comer, J. S. (2020). Strategies to enhance communication with telemental health measurement-based care (tMBC). Practice Innovations, 5(2), 143–149.

Glueckauf, R. L., Maheu, M. M., Drude, K. P., Wells, B. A., Wang, Y., Gustafson, D. J., & Nelson, E.-L. (2018). Survey of psychologists’ telebehavioral health practices: Technology use, ethical issues, and training needs. Professional Psychology: Research and Practice, 49(3), 205–219.

McClellan, M. J., Florell, D., Palmer, J., & Kidder, C. (2020). Clinician telehealth attitudes in a rural community mental health center setting. Journal of Rural Mental Health, 44(1), 62–73.

How does HIPAA broadly define "public health information" (PHI)? To select and enter your answer go to Test.

Section 7
Table of Contents