Background
By its nature, NCST posts information regarding incidents that can result in individuals needing various levels of medical treatment.
There have been a number of instances where I’ve seen members of the community invoke HIPAA protections in the comments regarding information that has either been posted or for which other community members are requesting in the comments.
A surprising number of these comments seem to show a general misunderstanding of what HIPAA is and to whom it applies, especially in the context of NCST’s reporting.
Summary
The Health Insurance Portability and Accountability Act, or HIPAA, was passed in 1996 to standardize the Security and Privacy of patient health records. It was the result of the digitization of medical records and the electronic transmission of those records between certain covered entities.
For the reasons explained below, NCST is not a covered entity and as such is not bound by any part of the HIPAA standards.
We do however make every effort to provide information in a manner that is respectful and ethical. This includes internal policies on what information is released and at what time.
Information on HIPAA
The Health Insurance Portability and Accountability Act, or HIPAA, was passed in 1996 to standardize the Security and Privacy of patient health records. It was the result of the digitization of medical records and the electronic transmission of those records between certain covered entities.
HIPAA consists of two major sections, the HIPAA Privacy Rule, and the HIPAA Security Rule. Both rules aim to protect patients in different ways. We’ll summarize those two rules quickly below. For more in-depth information, please see links to further resources in the ” Further Resources ” section towards the bottom of the page.
The Privacy Rule
The Privacy Rule standards address the use and disclosure of individuals’ health information—called “protected health information” by organizations subject to the Privacy Rule — called “covered entities,” as well as standards for individuals’ privacy rights to understand and control how their health information is used.
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).”
“Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual,
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual.13 Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
The Security Rule
The Security Standards for the Protection of Electronic Protected Health Information (the Security Rule) establish a national set of security standards for protecting certain health information that is held or transferred in electronic form. The Security Rule operationalizes the protections contained in the Privacy Rule by addressing the technical and non-technical safeguards that organizations called “covered entities” must put in place to secure individuals’ “electronic protected health information” (e-PHI).
The HIPAA Privacy Rule protects the privacy of individually identifiable health information, called protected health information (PHI), as explained in the Privacy Rule. The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form. The Security Rule calls this information “electronic protected health information” (e-PHI).3 The Security Rule does not apply to PHI transmitted orally or in writing.
Covered Entities
As you can see above, the overwhelming goal of HIPAA is to ensure the protection of patient information as it is transferred between the facilities that provide the patient care, the health insurance providers, billing companies, and other “entities” that need access to them in the course of business. These ” covered entities ” are the only groups that are bound by the requirements spelled out in HIPAA.
The following are the ” covered entities ” listed in HIPAA.
- Health Plans ( Health Insurance Companies, HMO’s, Employer-sponsored health plans, and Government programs that pay for healthcare like Medicare, Medicaid, and military health programs)
- Clearinghouses ( organizations that process nonstandard health information on behalf of other organizations. )
- Providers ( doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, etc. )
- Business Associates ( third party organizations engaged by an otherwise “covered entity” that helps to carry out health care activities. For example, third-party health plan administrators or claims processing, medical transcriptionist, etc. )
Conclusion
HIPAA was created during a time period ( 1996 ) when everything was moving from paper records to electronic records. It was the government understanding this and ensuring there was a process to ensure that all of the needed stakeholders, mainly in the medical billing process, could safely access and provide that data without doing so without concern for the patient.
If you read the comments by individuals who invoke HIPAA you’d come to believe that HIPAA is some type of magical blanket that surrounds everyone who is injured and that anyone who looks upon the injured or speaks of its occurrence is to be struck down by the HIPAA hammer of righteousness out of the thin blue air.
Seriously. I’ve seen someone comment that Georgia DOT had to turn traffic cameras away from serious accidents because showing the accident would be ” against HIPPA. “
NCST is not a covered entity and has no access to any medical records. Things that happen in public settings, regardless of what they are, are not covered by any privacy laws, including HIPAA.
NCST does however have internal policies that ensure respectful and ethical handling of information, including medical information regarding incidents that result in injuries or other medical conditions.
Further Resources
Are You a Covered Entity? – Centers for Medicare & Medical Services ( USGov )
Summary of the HIPAA Privacy Rule – US Dept of Health and Human Services
Summary of the HIPAA Security Rule – US Dept of Health and Human Services