The Health Insurance Portability and Accountability Act of 1996 or HIPAA was signed into law by Pres. Bill Clinton on August 21, 1996. It was initially intended to improve efficiency in healthcare by streamlining healthcare administration and ensuring employees retained health insurance coverage while they were between jobs. Since HIPAA was enacted, new legislation was introduced to ensure the privacy of healthcare data and to make sure healthcare organizations implemented appropriate security measures to keep patient data protected. That legislation was added to HIPAA in the Privacy and Security Rules, and those two Rules are what HIPAA is now best known for.
There are four key aspects of HIPAA that directly concern patients. They are the privacy of health data, security of health data, notifications of healthcare data breaches, and patient rights over their own healthcare data.
Privacy of Healthcare Data
The HIPAA Privacy Rule places restrictions on uses and disclosures of healthcare data. Only authorized individuals are permitted to access the healthcare data of patients, and the allowable uses are for the provision of treatment, payment for healthcare services, and for healthcare operations (essential business purposes). HIPAA-covered entities – healthcare providers, health plans, and healthcare clearinghouses – can use patients’ “Protected Health Information” (PHI) for the above reasons without having to get permission. While there are exceptions, generally, using or sharing healthcare data for reasons other than those listed above – for research or marketing purposes for instance – is only permitted if an authorization is obtained from the patient in advance.
HIPAA also covers vendors – termed business associates – that provide products or services for HIPAA-covered entities that require access to PHI. Business associates include transcription service providers, mailing vendors, payment processors, lawyers, and IT service providers. Business associates also need to comply with certain aspects of the HIPAA Rules and any PHI shared with these individuals or companies must be restricted to the minimum necessary information to allow them to perform their services.
Security of Healthcare Data
The HIPAA Security Rule requires HIPAA-covered entities and business associates to implement safeguards to ensure PHI is protected at all times. Controls include administrative policies and procedures, physical security measures, and technical controls like encryption, firewalls and antivirus software. Employees also need to receive security awareness training to help them identify threats to patient data, such as phishing emails.
All HIPAA covered entities must conduct a comprehensive risk analysis to identify all vulnerabilities and threats to PHI and the systems on which PHI is stored. Those risks must then be managed and reduced to a low and acceptable level.
Notifications of Healthcare Data Breaches
Even with appropriate security measures in place to protect PHI, data breaches may still occur. In such cases, the HIPAA Breach Notification Rule requires covered entities and business associates to notify patients whose PHI is compromised within 60 days of discovering the breach. The notification allows breach victims to take precautionary measures to protect themselves against identity theft and other types of fraud. Data breaches must also be reported to regulators, which investigate breaches to determine whether the breach was the result of a HIPAA violation. If HIPAA violations are discovered, financial penalties and other sanctions can be imposed.
Patient Rights over their Healthcare Data
The HIPAA Privacy Rule gave patients new rights over their healthcare data. Patients have the right to obtain a copy of their health records from healthcare organizations, and can only be charged a reasonable, cost-based fee. This allows individuals to take a more active role in their healthcare and check their medical records for errors and request that any errors are changed. Copies of healthcare data must be provided within 30 days of a request being submitted. Patients may also designate individuals – family, friends or caregivers – that can obtain their health data on their behalf.
Other important rights include the right to view an organization’s ‘accounting of disclosures’ log. HIPAA covered entities must maintain a record of all disclosures of an individual’s PHI for purposes other than for treatment, payment, or healthcare operations. Patients are permitted to see who has been provided with their PHI. Patients also have the right to request restrictions of disclosures of their PHI to a certain extent. They can also request confidential communications, and have the right to file complaints about violations of their privacy.
Exceptions to HIPAA Privacy and Security Rules
The HIPAA Rules apply to most healthcare providers – those that conduct healthcare transactions electronically – but they do not apply to all entities in the healthcare industry.
One notable exception is health app developers. Health apps often collect data that would be classed as PHI if collected by a healthcare provider. However, since these app developers are only classed as business associates if they create an app specifically for a HIPAA-covered entity, oftentimes users of the apps will not be protected by HIPAA and the health data entered, collected, stored or transmitted by the apps will not be subject to the HIPAA Rules. That is an area that many privacy advocates are trying to change.
HIPAA and its Importance to Patients: FAQ
Can patients sue for HIPAA violations?
Though HIPAA was written with patient privacy in mind, patients whose PHI was violated in a HIPAA breach cannot sue the covered entity responsible. This is because HIPAA does not stipulate a private cause of action (which means that individuals cannot enforce their rights, only government or public bodies can). They may be able to seek compensation under other regulations or if the CE violated a different contract relating to the security of health data.
Which HIPAA Rules are most important for patients to understand?
All HIPAA Rules are in place to protect the rights of a patient in relation to their health insurance plan and the privacy of the healthcare data. That being said, there are two main rules that patients should know about. The HIPAA Privacy Rule dictates how PHI should be used, who it should be disclosed to, and how patients can access, amend, or delete their PHI. The HIPAA Security Rule primarily relates to the administrative, technical, and physical safeguards necessary to protect PHI. Though these are implemented by the CE or BA, it can be useful for patients to know the safeguards in place to protect their privacy.
How can patients access their PHI?
To access their PHI, patients should be able to submit a request to the CE (or nominate an individual to submit the request on their behalf). The request should be fulfilled within 30 days of the submission. Depending on the policies of the healthcare provider, the requests can be physical or electronic, and a reasonable fee may be charged. Reasonable steps should be taken to verify the identity of the person making the request before the data is handed over.
What should patients do if they feel their rights under HIPAA have been violated?
Anyone concerned that their rights under HIPAA have not been respected should seek legal advice. If there are legitimate grounds, they can file a complaint with the covered entity directly or to the Department for Health and Human Services, who may then conduct an investigation. Though patients cannot sue CEs for HIPAA, filing such a complaint can help to prevent future breaches.