The Health Insurance Portability and Accountability Act of 1996 – or HIPAA – is federal legislation that impacts healthcare providers, health plans, and healthcare clearinghouses that complete transactions electronically. HIPAA also applies to vendors – business associates – that conduct duties on behalf of HIPAA-covered entities that requires them to have access to protected health information (PHI) or be supplied with copies of PHI.
HIPAA was passed into law by the Bill Clinton administration in 1996, although the legislation has had some major over the years, notably the HIPAA Privacy Rule in 2000, the Security Rule in 2003, and the Breach Notification Rule in 2009.
At first HIPAA was aimed at strengthening the health insurance system and simplify the administration of healthcare, but it has since been grown considerably. Now HIPAA includes patient privacy, uses and disclosures of health data, and data security.
HIPAA was devised to benefit consumers rather than healthcare groups, yet the legislation itself is long, complicated and is not well understood by many patients and health plan subscribers.
Why is HIPAA of Benefit to Patients?
There are four main aspects of HIPAA that benefit patients: Privacy of health information, security of health data, alerts for breaches of medical records, and the right to receive copies of healthcare data.
1. Health Data Privacy
The HIPAA Privacy Rule limits the individuals who are able to access healthcare data and who healthcare data can be sent to without first obtaining permission from patients. In essence, access to health data is restricted to healthcare workers who need to view health and personal information in order to provide healthcare services and perform any administration tasks.
Healthcare groups can only share PHI with business associates that carry out for healthcare operations services on behalf of a covered entity that require access to PHI: Transcription service providers, payment processors, or mailing vendors for instance. In such cases, those business associates must agree to ensure data is secure and the same rules apply for access and disclosures of PHI to other people or companies. Any PHI supplied must be restricted to the minimum necessary amount to perform the specific services the business associate is hired to perform.
Authorization must be obtained from patients before their PHI can be sent to companies for other reasons, including research and marketing.
The Privacy Rule also permits patients to designate which individuals are allowed to download/receive their health data on behalf of patients – friends, family, or caregivers for example.
Health Data Security
HIPAA requires healthcare groups to put in place safeguards to ensure any health data created, saved, maintained, or transmitted is constantly kept secure. Those controls include administrative measures, physical security for paper files and electronic devices that contain health data, and technical controls such as encryption, anti-virus software, and firewalls. Healthcare workers must also be shown how to recognize threats such as phishing emails and other email and web-based threats. These tactics ensure that hackers and other cybercriminals cannot obtain access to patients’ and plan members’ health information.
Data Breaches Notifications
While HIPAA secures patient privacy by placing restrictions on who can see health data and healthcare groups are required to implement security controls to keep PHI secure, privacy and security breaches may still likely to happen.
HIPAA requires healthcare groups and their business associates to issue notifications to clients when health data is compromised or illegally taken. This allows breach victims to take action to safeguard their identities and reduce the risk of becoming a victim of fraud. HIPAA requires notifications to be sent within 60 days of a breach being identified.
Medical Record Copies
HIPAA allocates patients the right to obtain copies of the health information created or stored by healthcare groups. By obtaining copies of heath data patients can take a much more effective role in their own healthcare. While in theory, one healthcare provider should be able to share health data with another provider that is also treating the same patient, there are still some problems that stop all health data from being transferred.
By obtaining copies of health information, patients can simply share that information with any healthcare groups, including research organizations to help in studies that benefit the entire population.
One other significant reason for obtaining copies of health data is to review health records for errors. If a mistake occurred while recording health data, it could have an impact on decisions about the best treatment for patients. It is therefore important for patients to review their medical records for errors and to correct them.
Not every Healthcare Organization is Governed by HIPAA Rules
While the above rights and protections apply to the majority of healthcare providers and health insurers, they do not apply to EVERY healthcare organization, even if those groups appear to provide similar services to HIPAA covered entities and collect the same types of data.
HIPAA does not apply to health app developers for example, unless they have been hired to develop apps or provide apps to patients by a HIPAA covered entity. HIPAA does not apply to life insurance firms, workers compensation schemes, employers, schools, many state agencies, law enforcement bodies, the media, and lots of municipal offices.
Due to this, the protections of HIPAA and the rights afforded by the legislation do not apply to those groups.