HIPAA

HIPAA for Members

The Utah Department of Health and Human Services, Division of Integrated Healthcare takes the protection of your health information very seriously.  We are required by law to keep your health information private and secure. The Federal Law that has specific rules about the privacy and security of health Information is HIPAA.

What is HIPAA and Why Is It Important?

"HIPAA" stands for the Health Insurance Portability and Accountability Act of 1996.  The intent of "HIPAA" is:

  • to improve health coverage by allowing individuals to "take their insurance with them" when they change jobs.
  • to combat fraud, waste and abuse; and,
  • to simplify the administration of health insurance

HIPAA applies to "covered entities".  Covered entities are providers, e.g., doctors, hospitals, pharmacies; health insurance plans, e.g., Blue Cross/Blue Shield, United Health Care, Medicare and Medicaid, etc.; and health care clearinghouses who assist providers with billing and health information access.

One way to accomplish this is to manage health information electronically.  This would help covered entities more easily use and share data to treat you, bill for services, and run health care operations.  HIPAA makes it easy to share data for these reasons, and, at the same time, limits access to your health information by requiring patient approval for other uses of the data.

Notice of Privacy Practices

One important requirement of covered entities under HIPAA is that you be notified about what happens to the health information they collect, use and share.  This requirement is called a "Notice of Privacy Practices".  The Notice must be given to you the first time you sign up for Medicaid or visit your provider.  It tells you:

  1. How Medicaid uses and shares your health information; and,
  2. What rights you have under HIPAA to manage your own health information.

Here are copies of the Medicaid Notice of Privacy Practices in English and Spanish.

Medicaid English Notice of Privacy Practices 

Medicaid Aviso de Prácticas de Privacidad

Rules and Regulations

HIPAA includes some important regulations that help create a system of privacy and security for the use and sharing of health information.  These are:

The Privacy Rule

This rule includes regulations that require the protection of medical records and other personal health information that is collected and kept by covered entities.  It regulates the use and disclosure of protected health information (PHI), whether it’s written, oral or electronic.

The Rule 1) makes sharing of information for treatment, payment and health care business operations; 2) gives patients rights to access and manage their health information, and to know where their information has been shared; and, 3) restricts the sharing of health information to the minimum necessary to accomplish a specific purpose.

The Security Rule

This rule covered entities to implement a series of administrative, technical, and physical security requirements to protect the confidentiality, integrity and availability of PHI.

The Breach Notification Rule

This rule requires covered entities to notify individuals if their PHI has been "breached", that is, used or disclosed in a way that is not allowed by HIPAA.

Utah Health Information Rules

The Utah Health Information Network (UHIN) is a not-for-profit organization that reduces the cost of providing health care by efficiently managing electronic health information. Visit the UHIN website for more information about how they make healthcare work more easily for patients.

Forms

You have the right to receive a copy of your health information and to authorize Medicaid to share your information with a third party.  .You may use the following form to:

  • obtain a copy of your Medicaid billing information 
  • have Medicaid share your billing information for any reason, or
  • request that a provider or outside organization share your information with Medicaid.

Member Authorization to Request Release of PHI

If you have questions about HIPAA, about how Medicaid uses and discloses your health information, or about your rights to manage your own health information, contact the Medicaid Privacy and Security Office at: dih_medicaidprivacy@utah.gov.