25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Why is HIPAA Important to Patients?

Posted By on Nov 6, 2024

HIPAA is important for patients because it provides a federal floor of privacy and security standards for their health data, requires covered entities to notify them if their data is accessed or disclosed impermissibly, and enables them to take more control over how their data is used. However, some patients misunderstand which organizations are required to comply with the Health Insurance Portability and Accountability Act (HIPAA).

The Health Insurance Portability and Accountability Act

The Health Insurance Portability and Accountability Act of 1996 – or HIPAA – is a federal law that applies to healthcare providers, health plans, and healthcare clearinghouses that conduct certain healthcare transactions electronically (i.e., eligibility checks, treatment authorizations, payment claims, etc.). HIPAA also applies to vendors – business associates – that perform functions on behalf of HIPAA-covered entities that requires them to have access to protected health information (PHI) or be provided with copies of PHI. (See What is Protected Health Information).

Originally, HIPAA was intended to improve the health insurance system and simplify the administration of healthcare, but it has since been expanded considerably. Now HIPAA covers patient privacy, uses and disclosures of health data, and data security. HIPAA was primarily penned to benefit consumers rather than healthcare organizations, yet the legislation itself is long, complicated and is not well understood by many patients and health plan members. This post simplifies HIPAA and explains why HIPAA is important to patients.

Why is HIPAA Important to Patients?

There are four key aspects of HIPAA that make it important for patients: Privacy of health information, security of health data, notification of breaches of medical records, and the right to obtain copies of healthcare data.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Privacy of Health Data

The HIPAA Privacy Rule restricts the individuals who are able to view healthcare data and who healthcare data can be shared with without first obtaining permission from patients. Generally speaking, access to health data is restricted to healthcare employees who need to view health and personal information in order to provide healthcare services and perform any administration duties.

Healthcare organizations can only share PHI with business associates that perform for healthcare operations services on behalf of a covered entity that require access to PHI: Transcription service providers, payment processors, or mailing vendors for example. In such cases, those business associates must agree to keep data secure and the same rules apply for access and disclosures of PHI to other individuals or companies. Any PHI provided must be limited to the minimum necessary amount to perform the specific services the business associate is contracted to perform.

Permission must be obtained from patients before their PHI can be shared with companies for other reasons, including research and marketing.

The Privacy Rule also allows patients to designate which individuals are permitted to obtain their health data on behalf of patients – friends, family, or caregivers for instance.

Security of Health Data

HIPAA requires healthcare organizations to implement safeguards to ensure any health data created, stored, maintained, or transmitted is kept secure at all times. Those controls include administrative measures, physical security for paper records and electronic devices that store health data, and technical controls such as encryption, anti-virus software, and firewalls. Healthcare employees must also be trained how to recognize threats such as phishing emails and other email and web-based threats. These measures ensure that hackers and other cybercriminals cannot gain access to patients’ and plan members’ health information.

Notification of Data Breaches

While HIPAA protects patient privacy by placing restrictions on who can access health data and healthcare organizations are required to implement security controls to keep PHI secure, privacy and security breaches may still likely to occur.

HIPAA requires healthcare organizations and their business associates to issue notifications to patients when health data is compromised or stolen. This allows breach victims to take action to protect their identities and reduce the risk of becoming a victim of fraud. HIPAA requires notifications to be issued within 60 days of a breach being discovered.

Copies of Medical Records

HIPAA gives patients the right to obtain copies of the health information created or held by healthcare organizations. By obtaining copies of their heath data, patients can take a much more active role in their own healthcare. While in theory, one healthcare provider should be able to send health data to another provider that is also treating the same patient, there are still some issues that prevent all health data from being transferred.

By obtaining copies of health information, patients can easily share that information with any healthcare organizations, including research organizations to help in studies that benefit the population as a whole.

One other important reason for obtaining copies of health data is to check health records for errors. If a mistake is made recording health data – or health data has been used impermissibly to commit fraud – it could have an impact on decisions about the best treatment for patients. It is important for patients to check their medical records for errors and to correct any mistakes.

Not all Healthcare Organizations Are Covered by HIPAA Rules

While the above rights and protections apply to most healthcare providers and health insurers, they do not apply to ALL healthcare organizations, even if those organizations appear to provide similar services to HIPAA covered entities and collect the same types of data.

HIPAA does not apply to health app developers for instance, unless they are contracted to develop apps or provide apps to patients by a HIPAA covered entity. HIPAA does not apply to life insurance companies, workers compensation schemes, employers, public schools, many state agencies, law enforcement agencies, the media, and many municipal offices.

The protections of HIPAA and the rights afforded by the legislation do not apply to those organizations.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist