The Health Insurance Portability and Accountability Act of 1996 or HIPAA was signed into law by Pres. Bill Clinton on August 21, 1996. It was initially intended to improve efficiency in healthcare by streamlining healthcare administration and ensuring employees retained health insurance coverage while they were between jobs. Since HIPAA was enacted, new legislation was introduced to ensure the privacy of healthcare data and to make sure healthcare organizations implemented appropriate security measures to keep patient data protected. That legislation was added to HIPAA in the Privacy and Security Rules, and those two Rules are what HIPAA is now best known for.
There are four key aspects of HIPAA that directly concern patients. They are the privacy of health data, security of health data, notifications of healthcare data breaches, and patient rights over their own healthcare data.
Privacy of Healthcare Data
The HIPAA Privacy Rule places restrictions on uses and disclosures of healthcare data. Only authorized individuals are permitted to access the healthcare data of patients, and the allowable uses are for the provision of treatment, payment for healthcare services, and for healthcare operations (essential business purposes). HIPAA-covered entities – healthcare providers, health plans, and healthcare clearinghouses – can use patients’ “Protected Health Information” (PHI) for the above reasons without having to get permission. While there are exceptions, generally, using or sharing healthcare data for reasons other than those listed above – for research or marketing purposes for instance – is only permitted if an authorization is obtained from the patient in advance.
HIPAA also covers vendors – termed business associates – that provide products or services for HIPAA-covered entities that require access to PHI. Business associates include transcription service providers, mailing vendors, payment processors, lawyers, and IT service providers. Business associates also need to comply with certain aspects of the HIPAA Rules and any PHI shared with these individuals or companies must be restricted to the minimum necessary information to allow them to perform their services.
Security of Healthcare Data
The HIPAA Security Rule requires HIPAA-covered entities and business associates to implement safeguards to ensure PHI is protected at all times. Controls include administrative policies and procedures, physical security measures, and technical controls like encryption, firewalls and antivirus software. Employees also need to receive security awareness training to help them identify threats to patient data, such as phishing emails.
All HIPAA covered entities must conduct a comprehensive risk analysis to identify all vulnerabilities and threats to PHI and the systems on which PHI is stored. Those risks must then be managed and reduced to a low and acceptable level.
Notifications of Healthcare Data Breaches
Even with appropriate security measures in place to protect PHI, data breaches may still occur. In such cases, the HIPAA Breach Notification Rule requires covered entities and business associates to notify patients whose PHI is compromised within 60 days of discovering the breach. The notification allows breach victims to take precautionary measures to protect themselves against identity theft and other types of fraud. Data breaches must also be reported to regulators, which investigate breaches to determine whether the breach was the result of a HIPAA violation. If HIPAA violations are discovered, financial penalties and other sanctions can be imposed.
Patient Rights over their Healthcare Data
The HIPAA Privacy Rule gave patients new rights over their healthcare data. Patients have the right to obtain a copy of their health records from healthcare organizations, and can only be charged a reasonable, cost-based fee. This allows individuals to take a more active role in their healthcare and check their medical records for errors and request that any errors are changed. Copies of healthcare data must be provided within 30 days of a request being submitted. Patients may also designate individuals – family, friends or caregivers – that can obtain their health data on their behalf.
Other important rights include the right to view an organization’s ‘accounting of disclosures’ log. HIPAA covered entities must maintain a record of all disclosures of an individual’s PHI for purposes other than for treatment, payment, or healthcare operations. Patients are permitted to see who has been provided with their PHI. Patients also have the right to request restrictions of disclosures of their PHI to a certain extent. They can also request confidential communications, and have the right to file complaints about violations of their privacy.
Exceptions to HIPAA Privacy and Security Rules
The HIPAA Rules apply to most healthcare providers – those that conduct healthcare transactions electronically – but they do not apply to all entities in the healthcare industry.
One notable exception is health app developers. Health apps often collect data that would be classed as PHI if collected by a healthcare provider. However, since these app developers are only classed as business associates if they create an app specifically for a HIPAA-covered entity, oftentimes users of the apps will not be protected by HIPAA and the health data entered, collected, stored or transmitted by the apps will not be subject to the HIPAA Rules. That is an area that many privacy advocates are trying to change.