What is the Purpose of HIPAA?

The Health Insurance Portability and Accountability Act – or HIPAA as it is better known – is an important legislative Act affecting the U.S. healthcare industry, but what is the purpose of HIPAA? Healthcare professionals often complain about the restrictions of HIPAA – Are the benefits of the legislation worth the extra workload?

What is the Purpose of HIPAA?

HIPAA was first introduced in 1996. In its earliest form, the legislation helped to ensure that employees would continue to receive health insurance coverage when they were between jobs. The legislation also required healthcare organizations to implement controls to secure patient data to prevent healthcare fraud, although it took several years for the rules for doing so to be penned.

HIPAA also introduced several new standards that were intended to improve efficiency in the healthcare industry, requiring healthcare organizations to adopt the standards to reduce the paperwork burden. Code sets had to be used along with patient identifiers, which helped pave the way for the efficient transfer of healthcare data between healthcare organizations and insurers, streamlining eligibility checks, billing, payments, and other healthcare operations.

HIPAA also prohibits the tax-deduction of interest on life insurance loans, enforces group health insurance requirements, and standardizes the amount that may be saved in a pre-tax medical savings account.

HIPAA is a comprehensive legislative act incorporating the requirements of several other legislative acts, including the Public Health Service Act, Employee Retirement Income Security Act, and more recently, the Health Information Technology for Economic and Clinical Health (HITECH) Act.

Health Data Privacy and Security

HIPAA is now best known for protecting the privacy of patients and ensuring patient data is appropriately secured, with those requirements added by the HIPAA Privacy Rule and the HIPAA Security Rule. The requirement for notifying individuals of a breach of their health information was introduced in the Breach Notification Rule in 2009.

The purpose of the HIPAA Privacy Rule was to introduce restrictions on the allowable uses and disclosures of protected health information, stipulating when, with whom, and under what circumstances, health information could be shared. Another important purpose of the HIPAA Privacy Rule was to give patients access to their health data on request. The purpose of the HIPAA Security Rule is mainly to ensure electronic health data is appropriately secured, access to electronic health data is controlled, and an auditable trail of PHI activity is maintained.

So, in summary, what is the purpose of HIPAA? To improve efficiency in the healthcare industry, to improve the portability of health insurance, to protect the privacy of patients and health plan members, and to ensure health information is kept secure and patients are notified of breaches of their health data.

The Purpose of HIPAA FAQs

Why did it take so long between the passage of HIPAA and the publication of the Privacy Rule?

When HIPAA was passed in 1996, the Secretary of Health and Human Services was tasked with recommending standards for the privacy of individually identifiable health information. The recommendations had to be presented to Congress within a year; and, if Congress did not enact privacy legislation within three years, the Secretary was to promulgate a Final Rule. This became known as the HIPAA Privacy Rule.

The HIPAA Privacy Rule was originally published on schedule in December 2000. However, due to the volume of comments expressing confusion, misunderstanding, and concern over the complexity of the Privacy Rule, it was revised to prevent “unanticipated consequences that might harm patients´ access to health care or quality of health care” (see 67 FR 14775-14815). A significantly modified Privacy Rule was published in August 2002.

Why are there separate Privacy and Security Rules?

The Security Rule is a sub-set of the Privacy Rule inasmuch as the Privacy Rule stipulates the circumstances in which it is allowable to disclose PHI and the Security Rule stipulates the protocols required to safeguard electronic PHI from unauthorized uses, modifications, and disclosures. It is also important to note that the Privacy Rule applies to Covered Entities, while both Covered Entities and Business Associates are required to comply with the Security Rule.

Why might patients want to access their health data?

Healthcare professionals have exceptional workloads – due to which mistakes can be made when updating patient notes. By enabling patients to access their health data – and requesting amendments when data are inaccurate or incomplete – patients can take responsibility for their health; and, if they wish, take their records to an alternate provider in order to avoid the necessity of repeating tests to establish diagnoses that already exist.

How else does HIPAA benefit patients?

Prior to HIPAA, there were few controls to safeguard PHI. Data was often stolen to commit identity theft and insurance fraud – affecting patients financially in terms of personal loss, increased insurance premiums, and higher taxes. In the late 1980s and early 1990s, healthcare spending per capita increased by more than 10% per year. Now – partly due to the controls implemented to comply with HIPAA – increases in healthcare spending per capita are less than 5% per year.

What did the Breach Notification Rule change in 2009?

The Breach Notification Rule made it a legal requirement for Covered Entities to notify patients if unsecured PHI is accessed – or potentially accessed – without authorization. The Covered Entity has to provide details of what PHI is involved and what measure the patient should take to prevent harm (i.e., cancelling credit cards). By providing this information in a timely manner (the maximum time allowed is 60 days), patients can protect themselves from becoming the victims of theft and fraud.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.