Healthcare Information Technology and Its Impact on the Health Insurance Portability and Accountability Act

By October 21, 2015Articles, Health

Healthcare Information Technology: A Primer

HIT is a far reaching phenomenon responsible for integrating the flow of health information across consumers, service providers and regulatory entities, improving the coordination of safe and efficient outcomes within the healthcare delivery system[1].The physical implementations of these include computerized systems that perform acquisition, storage and retrieval of healthcare information for decision making.[2]

While the successful adoption of healthcare information technology culminates in benefits on the patient care front such as improved healthcare quality and promises public benefits to the extent of early detection of pandemics, it has resulted in concomitant threats to patient privacy. The ease of accessing electronic health information for studies has compromised information privacy through information exchanges[3].


HIPAA was enacted August 21, 1996 [4]as part of a wider body of legislature with the express mandate of extending healthcare insurance coverage to workers in the midst of structural or cyclical unemployment and establishing operating guidelines and standardized health plan identifiers for electronic healthcare transactions between service providers, healthcare plans and employers[5].

The legislative spirit of Title II in HIPAA lends itself to the morass of complications introduced by HIT. It fosters a conducive environment for the enforcement of legislation maintaining the privacy of health information that can be tied to specific individuals through the timely institution of punitive measures that accompany violations. Five core rules incorporated within Title II are germane to the topic of our consideration – the Privacy Rule, the Transactions and Code Sets Rule, the Security Rule, the Unique Identifiers Rule, and the Enforcement Rule. These promote greater administrative efficacy through holding the applications of HIT to certain universal standards of quality.

HIPAA Privacy Rule

The Privacy Rule mounts a direct response to the manifold opportunities for compromising privacy that emerge from the incremental prevalence of HIT[6].  As the central pillar of the privacy security framework that HIPAA relies upon to manage HIT, the Privacy Rule negotiates between the competing priorities of safeguarding health information privacy for patients and the necessity of providing key health information required for the smooth execution of prediction, treatment and payment consolidation purposes within an integrated healthcare system.

Key Stakeholders

The Privacy Rule maintains jurisdiction over health plans, clearinghouses and healthcare providers which facilitate electronically certain financial and administrative transactions subject to standards adopted by HHS[7]. By extension, the Department of Health and Human Services is also expanding coverage to include independent contractors of the covered entities who adhere to the definition of business associates, which perform functions on behalf of the aforementioned covered entities that utilize PHI. While impossible to exhaustively discuss all the applications of the Privacy Rule in governing HIT, we attempt to categorize applications under the umbrella of a number guiding principles that have shaped the legislation.

Principal Tenet: Right to Access

In principle, the Privacy Rule identifies information that falls under the category of Protected Health Information (PHI) and controls the circumstances in which this can be used or disclosed. PHI is defined as information held by covered entities[8] that concern health status, provision of health care, or payment for health care that can be linked to an individual, often encompassing components of the patient’s medical records and history. In regulation, the privacy rule requires covered entities to eschew disclosure of PHI unless specifically requested to do so by the concerned individual or a personal representative through a written authorization, or when the HHS embarks on a compliance investigation, review or enforcement action