Western Territory initiates HIPAA compliance
by Carol Seiler, Major –
Effective April 14, 2003, the Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, required that protected health information (PHI) be especially safeguarded.
The Salvation Army is obliged to comply with the requirements of HIPAA on a variety of levels, because we are a large corporation with multiple activities, programs and employees. There are some important principles. First, where applicable, we must make reasonable effort to comply, understanding that the details will vary with the scope of the operation or department. Second, all individuals have certain rights regarding their protected health information (PHI). Third, administrative structures must document the efforts at compliance.
Almost everyone who has gone to pick up a prescription or gone to a doctor since April 14 has seen a Notice of Privacy Practice. This is a Federal requirement and is very structured. One of the confusing elements is that protected health information is defined as including 18 identifying factors including age and zip code!
Linking this to a health condition is what is prohibited. This means that we have to think differently about how much information we share about someone else’s health condition in any manner that can link the person and the illness.
The scope of Army involvement ranges from health plans for employees and officers to many of our programs because the definition of “health care” that is used includes nine aspects of care related to physical or mental condition, or functional status.
What has been happening throughout the territory is a concentrated effort to have the employee health plan HIPAA compliant. Mailings to all employees and training of HR directors has occurred. Then social service personnel in applicable programs have been working on their procedures related to handling the PHI and maintaining privacy for clients and employees.
The territory has adopted a broad policy of protecting privacy because there are many instances where separating the “technically required” and “technically exempt” areas would be harder. For example, there are employees who are soldiers, and the boundaries are crossed when the information is shared. Some corps leaders are envoys, who are employees. Some program participants have substance abuse issues, which are covered by other state laws for privacy. The Personnel Department has been working on the implication for officers, cadets and candidates who, while technically exempt from the employee or client issues, are not exempt from being treated with dignity and privacy. The primary impact in this area relates to prayer and health bulletins, where the detail must be limited. The individual can share themselves, but the Army will not be sharing the detail. The definition of health information specifically refers to information shared orally or in any medium and in any form.
Has this been a challenge? Yes. Is this unfair? No. Is it a valuable and worthwhile venture to protect privacy? Yes. Does it mean no one cares if they don’t know all the details? Of course not. If someone is sick and having surgery, prayer can be just as intelligent when it is for the health team, for the technical skill, for the healing hand of God. Does God need us to tell him that it’s a leg, or artery, or intestine in order to respond to prayer? I suspect not.
There have been a great number of people working diligently to strengthen a commitment to privacy and individual dignity, and we have approached HIPAA regulations, even though they have been complicated and somewhat cumbersome, as an opportunity to do both.