MUSCMedical LinksCharleston LinksArchivesMedical EducatorSpeakers BureauSeminars and EventsResearch StudiesResearch GrantsCatalyst PDF FileCommunity HappeningsCampus News

Return to Main Menu

HIPAA to establish privacy, security standards

by Mike Wheeler
University Privacy Officer
Congress  passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996. Under HIPAA, Congress agreed to establish standards for the privacy and security of individually identifiable health information. 

Congress had until Aug. 21, 1999, to pass the health privacy legislation. When Congress failed to pass the legislation, the Department of Health and Human Services (DHHS) did so by regulation. 

In November 1999, DHHS published the proposed HIPAA regulations. The regulations took effect on April 14, 2001, with a two-year implementation time period.  These regulations, set forth in 45 Code of Federal Regulations Parts 160 and 164, are entitled “Standards for Privacy of Individually Identifiable Health Information” (The Privacy Rule). 

The Privacy Rule provides that health care providers, health care  clearinghouses, and health plans protect individually identifiable health information against misuse or disclosure. 

Health care providers, health care clearinghouses, and health plans must comply with the HIPAA Privacy Rule by April 14. 

Under the HIPAA Privacy Rule, individuals (our patients) have six rights:
1. The right to request restrictions on certain uses and disclosures of Protected Health Information (PHI);

2.  The right to receive confidential communications of PHI (billing information, appointment reminders, etc.); 

3. The right to inspect and copy PHI; 

4. The right to amend PHI (request changes);

5. The right to receive an accounting of disclosures of PHI (an accounting of any non-MUSC entity reviewing the PHI); and 

6. The right to obtain a paper copy of MUSC’s Notice of Privacy Practices.

The MUSC organization must comply with the HIPAA Privacy Rule and uphold the six individual rights specified by this Rule. 

One of the first steps in implementing the HIPAA Privacy Rule is to determine present work practices and the location of medical records containing PHI. A Gap Analysis is used to assist in making and documenting these determinations. 

This Gap Analysis has been completed by MUHA, but UMA and the university are presently completing their Gap Analysis. By a department/cost center completing this Gap Analysis, we are able to identify which departments/cost centers are using, storing, modifying, or disclosing PHI. 

This Gap Analysis also identifies any business relationships with entities outside of the MUSC organization.  Therefore, it is very important for this Gap Analysis to document the work practices of the entire department/cost center and not just concentrate on the work practices of the billing centers. 
 
 

Catalyst Online is published weekly, updated as needed and improved from time to time by the MUSC Office of Public Relations for the faculty, employees and students of the Medical University of South Carolina. Catalyst Online editor, Kim Draughn, can be reached at 792-4107 or by email, catalyst@musc.edu. Editorial copy can be submitted to Catalyst Online and to The Catalyst in print by fax, 792-6723, or by email to petersnd@musc.edu or catalyst@musc.edu. To place an ad in The Catalyst hardcopy, call Community Press at 849-1778.