The Health Insurance Portability and Accountability Act of 1996 or HIPAA was signed into law by Pres. Bill Clinton. It was initially intended to help facilitate the health insurance system and healthcare administration. But the primary beneficiaries of this legislation are the consumers, that’s why it has since been expanded to include patient privacy, health data uses and disclosures and data security. Not many patients and health plan members understand this long and complicated legislation, but it is important to do so.
There are four areas of HIPAA that are directly the concern of patients. These are privacy of health data, security of health data, notification of health data breaches and the right to get copies of healthcare data.
The HIPAA Privacy Rules protects patients’ healthcare data from unauthorized access. In general, only healthcare employees who need the patient’s health and personal information for performing healthcare services can access and view the health data. Sharing the patients’ healthcare data for other reasons, such as for research and marketing, need the permission from patients first. If necessary, the patient may also designate individuals – family, friends or caregivers – who can obtain their health data on their behalf.
Sometimes, third-party service providers or business associates need access to the patients’ protected health information (PHI) in order to perform services on behalf of healthcare organizations. Examples of these business associates are transcription service providers, mailing vendors and payment processors. Business associates also need to follow the same HIPAA rules to keep PHI secure. When sharing PHI with these associates, it is limited to the minimum necessary information to perform the service.
Healthcare organizations are required by HIPAA to implement all the necessary safeguards to secure PHI at all times. Controls include policies and procedures, physical security and technical controls like encryption, firewalls and antivirus software. Employees also need to be trained on cyberattack awareness to keep hackers and cybercriminals from getting access to patient PHI.
Despite the controls implemented to protect patient privacy, it is likely that security data breaches will still happen. In such cases, HIPAA requires covered entities and business associates to notify patients whose PHI is compromised within 60 days of discovering the breach. The notification allows breach victims to take precautionary action and reduce the risk of fraud.
Patients have the right to get copies of their health records from healthcare organizations. With the provided health data, patients can take a more active role in their healthcare. They can easily share the health information with any physician or healthcare organization they are consulting. Patients can also check the records for errors and correct them. This is important as it could affect the decision of healthcare providers regarding the best patient treatment to give.
The HIPAA Rules apply to most healthcare providers but they do not apply to all entities in the healthcare industry. The following organizations are not covered by the HIPAA rules: health app developers, life insurance companies, many state agencies, workers compensation schemes, law enforcement agencies, municipal offices and the media.