Q: My dentist and my benefit office keep talking about HIPAA and protecting my privacy under some new federal law. What is this all about?
A: HIPAA Privacy Rules and Compliance with Federal and State Employment Laws require the following:
That neither the health plan nor a health care provider ("covered entities") may release protected health information (PHI) to a third party unless the participant gives his or her written authorization. Even when the covered entity is authorized by the member to release PHI to a third party, the covered entity may only release the minimum PHI necessary to meet the purpose of the authorization.
- What is PHI?
Protected health information (PHI) is information communicated by a covered entity orally, on paper or by electronic means that individually identifies and relates to an individual's (member's, dependent's or retiree's) medical condition, provision of medical care, enrollment, premium payment, health status or treatment.
When a covered entity (health plan, physician, hospital, etc.) possesses PHI, the HIPAA privacy rules apply.
- Participant Authorization and Confidentiality Policy
A member must authorize a covered entity to release health information to any third party. This must be a written authorization and it must contain all of the elements specified in the HIPAA regulations. Click here for a copy of the HIPAA authorization form.
- Additional Required Statements in the Authorization Form
The individual's right to revoke the authorization in writing contains an explicit description of exceptions to the right to revoke and instructions on how the individual may revoke the authorization. The instructions must inform the participant to whom the written revocation must be given. Click here for a copy of the revocation form.