Share this article on:
Most Americans have heard of HIPAA and know that the legislation applies to healthcare organizations, but many do not understand why HIPAA is important to patients.
The Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act of 1996 – or HIPAA – is a federal law that applies to healthcare providers, health plans, and healthcare clearinghouses that conduct transactions electronically. HIPAA also applies to vendors – business associates – that perform functions on behalf of HIPAA-covered entities that requires them to have access to protected health information (PHI) or be provided with copies of PHI. (See What is Protected Health Information).
HIPAA was signed into law by Bill Clinton in 1996, although the legislation has had some significant updates over the years, notably the HIPAA Privacy Rule in 2000, the Security Rule in 2003, and the Breach Notification Rule in 2009. (See our HIPAA History page for more information)
Initially HIPAA was intended to improve the health insurance system and simplify the administration of healthcare, but it has since been expanded considerably. Now HIPAA covers patient privacy, uses and disclosures of health data, and data security.
HIPAA was primarily penned to benefit consumers rather than healthcare organizations, yet the legislation itself is long, complicated and is not well understood by many patients and health plan members. This post greatly simplifies HIPAA and explains why HIPAA is important to patients.
Why is HIPAA Important to Patients?
There are four key aspects of HIPAA that make it important for patients: Privacy of health information, security of health data, notification of breaches of medical records, and the right to obtain copies of healthcare data.
Privacy of Health Data
The HIPAA Privacy Rule restricts the individuals who are able to view healthcare data and who healthcare data can be shared with without first obtaining permission from patients. Generally speaking, access to health data is restricted to healthcare employees who need to view health and personal information in order to provide healthcare services and perform any administration duties.
Healthcare organizations can only share PHI with business associates that perform for healthcare operations services on behalf of a covered entity that require access to PHI: Transcription service providers, payment processors, or mailing vendors for example. In such cases, those business associates must agree to keep data secure and the same rules apply for access and disclosures of PHI to other individuals or companies. Any PHI provided must be limited to the minimum necessary amount to perform the specific services the business associate is contracted to perform.
Permission must be obtained from patients before their PHI can be shared with companies for other reasons, including research and marketing.
The Privacy Rule also allows patients to designate which individuals are permitted to obtain their health data on behalf of patients – friends, family, or caregivers for instance.
Security of Health Data
HIPAA requires healthcare organizations to implement safeguards to ensure any health data created, stored, maintained, or transmitted is kept secure at all times. Those controls include administrative measures, physical security for paper records and electronic devices that store health data, and technical controls such as encryption, anti-virus software, and firewalls. Healthcare employees must also be trained how to recognize threats such as phishing emails and other email and web-based threats. These measures ensure that hackers and other cybercriminals cannot gain access to patients’ and plan members’ health information.
Notification of Data Breaches
While HIPAA protects patient privacy by placing restrictions on who can access health data and healthcare organizations are required to implement security controls to keep PHI secure, privacy and security breaches may still likely to occur.
HIPAA requires healthcare organizations and their business associates to issue notifications to patients when health data is compromised or stolen. This allows breach victims to take action to protect their identities and reduce the risk of becoming a victim of fraud. HIPAA requires notifications to be issued within 60 days of a breach being discovered.
Copies of Medical Records
HIPAA gives patients the right to obtain copies of the health information created or held by healthcare organizations. By obtaining copies of heath data patients can take a much more active role in their own healthcare. While in theory, one healthcare provider should be able to send health data to another provider that is also treating the same patient, there are still some issues that prevent all health data from being transferred.
By obtaining copies of health information, patients can easily share that information with any healthcare organizations, including research organizations to help in studies that benefit the population as a whole.
One other important reason for obtaining copies of health data is to check health records for errors. If a mistake is made recording health data, it could have an impact on decisions about the best treatment for patients. It is therefore important for patients to check their medical records for errors and to correct any mistakes.
Not all Healthcare Organizations Are Covered by HIPAA Rules
While the above rights and protections apply to most healthcare providers and health insurers, they do not apply to ALL healthcare organizations, even if those organizations appear to provide similar services to HIPAA covered entities and collect the same types of data.
HIPAA does not apply to health app developers for instance, unless they are contracted to develop apps or provide apps to patients by a HIPAA covered entity. HIPAA does not apply to life insurance companies, workers compensation schemes, employers, schools, many state agencies, law enforcement agencies, the media, and many municipal offices.
Consequently, the protections of HIPAA and the rights afforded by the legislation do not apply to those organizations.