What is HIPAA?
HIPAA is an acronym for the Health Insurance Portability and Accountability Act – an Act primarily intended to reform the health insurance industry which also led to the adoption of federal standards for safeguarding patients’ “Protected Health Information” (PHI) and ensuring the confidentiality, integrity, and availability of PHI created, maintained, processed, transmitted, or received electronically (ePHI).
The HIPAA Privacy Rule
The federal standards for safeguarding patients’ PHI are known as the HIPAA Privacy Rule. This Rule stipulates what uses and disclosures of PHI by “covered” healthcare providers are required or permitted, and which require a patient’s consent or authorization. All covered healthcare providers are required to inform patients of how they may use and disclose PHI via a HIPAA Notice of Privacy Practices.
The HIPAA Notice of Privacy Practices must also inform patients of the rights they have over their health information. These rights include:
- The right to request privacy protections for PHI
For example, patients can request that a healthcare provider does not inform a health plan of a treatment that has been paid for privately.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
- The right to request an accounting of disclosures
An accounting of disclosures enables patients to check healthcare providers are using and disclosing PHI consistent with the HIPAA Notice of Privacy Practices.
- The right to request copies of health and payment information
By monitoring what health and payment information is maintained about them, patients can ensure the information is correct and is not being used by anyone else.
- The right to request amendments where errors exist
Patients have the right to request corrections to their health and payment information if it is found to be inaccurate or incomplete.
Finally, the HIPAA Notice of Privacy Practices must inform patients they will be notified in the event of a data breach and provide the contact information of a Privacy Officer. The Privacy Officer is responsible for receiving and resolving complaints when a patient believes their PHI has been impermissibly used or disclosed or when their HIPAA rights have been denied.
The HIPAA Security Rule
The HIPAA Security Rule contains standards intended to ensure the confidentiality, integrity, and availability of PHI when it is created, maintained, processed, transmitted, or received electronically. The standards are mostly administrative or technical in nature and are implemented “behind the scenes” – for example, data backups, access controls, contingency planning and testing, etc.
The implementation of the HIPAA Security Rule standards is unlikely to impact the patient experience in a healthcare environment other than with regards to patient-provider communications. In some cases, a healthcare provider may refuse to communicate with a patient via a specific channel because the channel of communication does not support compliance with HIPAA and could place PHI at risk.
In addition, when a HIPAA covered healthcare provider discloses a patient’s PHI to a third party service provider (i.e., a third party administrator or accountant), the third party is also required to comply with the HIPAA Security Rule as a business associate. Business associates may also be required to comply with certain standards of the HIPAA Privacy Rule depending on the nature of the service being provided.
Why Patients Choose HIPAA Compliant Healthcare Providers
There are benefits of choosing a HIPAA compliant healthcare provider. These are not immediately evident until you compare a HIPAA compliant healthcare provider to a healthcare provider that disregards patients’ privacy protections and experiences data breaches due to a failure to comply with the HIPAA Security Rule. The benefits generally fall into three categories.
Patients are More Willing to Disclose Information to Providers
When patients trust confidential information will remain confidential, they are more willing to disclose information to their healthcare providers about – for example – their lifestyles, the symptoms they are experiencing, and the side-effects of medication. With more information, healthcare providers can make more accurate diagnoses and prescribe more appropriate courses of treatment, resulting in better patient outcomes.
Less Likely to Experience a Disruption of Service
Healthcare providers that do not comply with the HIPAA Security Rule standards or provide adequate HIPAA training to members of the workforce on data security are more likely to experience a cyberattack that takes healthcare systems offline. Cyberattacks of this nature not only expose PHI to unauthorized access and compromise, but they can also disrupt the delivery of healthcare to patients – sometimes with fatal consequences.
Fewer Delays in the Delivery of Healthcare
Cyberattacks do not only disrupt services while they are in progress. After a cyberattack, a healthcare provider may be required to revise policies and procedures and train members of the workforce on the new policies and procedures. Adjusting to new workplace practices takes time, during which delays can occur in all areas of the healthcare environment – impacting patient safety and potentially leading to worse patient outcomes.
What is HIPAA? FAQs
Which organizations does HIPAA apply to?
HIPAA applies to all covered entities, business associates, and contractors providing a service to a business associate. Covered entities are defined as health plans, health care clearinghouses, and healthcare providers who electronically transmit health information in connection with transactions for which HHS has adopted standards. Teaching institutions can also qualify as “Hybrid Entities” if they provide medical services to both students and non-students.
Business associates are persons or organizations who perform a service for a covered entity that involves the use or disclosure of PHI. Services can include legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, financial services, data analysis, claims processing or administration. A covered entity can be a business associate of another covered entity, but a member of a covered entity´s workforce is not a business associate.
Why might a teaching institution qualify as a hybrid entity?
One of the most quoted examples of a federal law pre-empting HIPAA is FERPA – the Family Education Rights and Privacy Act. FERPA protects the privacy of student education records, and – under FERPA – any medical treatment received by a student is recorded on their educational record. Consequently, if only students receive medical treatment in a teaching institution, the institution is not a covered entity under HIPAA. However, if a teaching institution provides medical services for non-students, the medical records of non-students are protected by HIPAA, while the medical records of students remain protected by FERPA.
Why should patients care about HIPAA?
Patients should care about HIPAA because it protects their health and payment information, allows them to have more control over how their personal information is used and disclosed, and enables them to take a more active role in their healthcare. The ability to obtain copies of health information can also help to protect patients against medical identity theft and unfair billing practices.
Having copies of their health information also helps patients when they wish to change healthcare providers. Information can be transferred to the new healthcare provider, tests do not need to be repeated, and new healthcare providers have the entire health history of a patient to inform their decisions. Prior to the Introduction of the HIPAA Privacy Rule, there were no requirements for healthcare organizations to release copies of patients’ health information.
What are the financial benefits for healthcare providers of complying with HIPAA?
The financial benefits for healthcare providers of complying with HIPAA include better patient outcomes and higher satisfaction scores, increased staff morale and employee retention, and fewer readmissions – a key factor in avoiding CMS payment penalties under the Hospitals Readmissions Reduction Program and other value-based initiatives.
If patients are unable to exercise their HIPAA rights, what happens?
If patients are unable to exercise their HIPAA rights, they have the right to complain to the healthcare provider’s Privacy Officer. Patients have the right to escalate their complaints to HHS’ Office for Civil Rights if the initial complaint does not resolve the issue – which could result in a financial penalty and a time-consuming corrective action plan.
Allowing patients to exercise their HIPAA rights is important because healthcare providers are human and prone to human error as much as anybody else. Healthcare providers can make mistakes patients’ records that can result in misdiagnoses, the wrong treatment being provided, or the wrong medication being prescribed.
By complying with HIPAA, facilitating patient access to PHI, and accepting requests to make corrections when appropriate, the risks of incorrect diagnoses, treatments, and medications are mitigated. Having access to their records can also encourage patients take more responsibility for their own wellbeing and comply with treatment plans..
How is compliance with HIPAA enforced?
Compliance with HIPAA is enforced by two agencies within the Department of Health and Human Services (HHS). HHS Office of Civil Rights is responsible for enforcing compliance with the HIPAA General Rule, HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule. HHS’ Centers for Medicare and Medicaid Services enforces compliance with the HIPAA Transactions and Code Sets Rules.
The Federal Trade Commission also enforces compliance with HIPAA for health appliance vendors that do not qualify as HIPAA covered entities, but who are required to comply with the Health Breach Notification Rule under Section 5 of the FTC Act.
What states have more stringent data protection laws than HIPAA?
Most states have a selection of data protection laws; and although some may have more stringent individual standards than HIPAA (i.e., some states require data retention beyond six years), none replace HIPAA in its entirety. However, it is important not only to know which laws apply in the state where your organization is located, but also in any jurisdictions in which your organization creates, maintains, processes, transmits, or receives PHI.
This is because in some states (i.e., Texas), data protection laws apply to any organization that creates, maintains, processes, transmits, or receives healthcare information relating to a citizen of that state – even if the citizen was not physically present in the state when the activity occurred. Furthermore, some data protection laws do not distinguish between covered entities and business associates. Any organization that engages in a covered activity is a Covered Entity.
What privacy rights exist under the Privacy Act 1974?
The Privacy Act 1974 restricts how federal agencies collect, maintain, use, and disclose personally identifiable information. The basic policy objectives of the Privacy Act are:
- To restrict disclosure of personal identifiable records maintained by agencies.
- To grant individuals increased rights of access to agency records maintain on themselves.
- To grant individuals the right to seek amendment of agency records when the records are not accurate, relevant, timely, or complete.
- To establish a code of fair information practices that requires agencies to comply with the statutory norms for collection, maintenance, and dissemination of records.
The basic policy objectives of the Privacy Act mirror several HIPAA Privacy Rule standards relating to patients’ rights and technical, physical, and administrative safeguards of the HIPAA Security Rule. However, while most federal agencies have to comply with the Privacy Rule at all times, agencies who collect, maintain, use, or disclose PHI have to comply with HIPAA at all times – unless a Privacy Act implementation specification provides better privacy rights or data protection than HIPAA.
When might professional regulations preempt HIPAA?
The best example of when professional regulations preempt HIPAA is the Military Command Exception. Under the Military Command Exception, healthcare professionals can disclose the PHI of Armed Forces personnel to command authorities for activities such as fitness for duty determinations, fitness to perform a particular assignment, or other activities necessary for a military mission. Mental health disclosures are also permitted when there is a serious risk of harm to self, others, or a mission.
