There are various answers to the question what does HIPAA protect depending on the perspective from which you look at the Health Insurance Portability and Accountability Act. This is because, in the Act, the word “protect” – or variations thereof – appears in several different sections.
When looking for answers to the question what does HIPAA protect, it is best to start with the original purpose of the Act – to increase the portability of health insurance between jobs, to limit exclusions from health insurance for pre-existing conditions, and to guarantee policies are renewed in multiemployer plans and multiple employer welfare arrangements.
In this respect, the first thing HIPAA protects is the right to change jobs without losing health coverage, being excluded from coverage because of a pre-existing condition, or having to pay a higher premium or deductible because of a pre-existing condition. As President Clinton said when signing the Act, “No longer need you hesitate about taking a better job because you are afraid to lose your coverage”.
HIPAA Protects against Fraud and Abuse
One of the issues related to the coverage protections was who was going to pay for them. At the time, the cost of health insurance premiums was increasing by double digit percentages each year; and, with health plans now limited on what exclusions they could apply, the concern was that the cost of portability and accountability would be passed on to employers and plan members via higher premiums and higher deductibles.
However, a report used in the preparation of HIPAA noted “as much as 10 percent of total health care costs are lost to fraudulent or abusive practices by unscrupulous healthcare providers”. According to the Government Accountability Office, the actual loss was probably higher because the resources did not exist to detect fraudulent or abusive practices and there was no coordination between state and federal law enforcement agencies.
To resolve the issue and reduce increases in health insurance premiums, HIPAA introduced stricter penalties for healthcare providers found to be making fraudulent claims for payment (including exclusion from the Medicare program). Congress also instructed the Secretary for Health and Human Services to create a Fraud and Abuse Control Program and allocated $104 million to support the program in its first year – increasing the budget by 15% per year thereafter.
HIPAA Protects the Integrity and Confidentiality of Data
In the context of what does HIPAA protect, possibly the most relevant reference to protection appears in the Administrative Simplification provisions relating to the protection of health information when it is transmitted electronically between healthcare providers, health care clearinghouses, and health plans. This reference to what does HIPAA protect also came as a result of the report used in the preparation of HIPAA.
In the report, the House Ways and Means Committee identified considerable inefficiencies in the processing of eligibility checks, authorization requests, and claims for payments due to different entities using different codes for the same types of transactions. To eliminate these inefficiencies, HIPAA instructed the Secretary for Health and Human Services to develop code sets and transaction standards to standardize claims processing and reduce costs.
The reference to the protection of health information was attributable to the increasing volume of transactions being conducted electronically and the risks to the integrity and confidentiality of data due to hacking and human error. Consequently, HIPAA instructed the Secretary to develop security standards (subsequently published in the Security Rule) and make recommendations with respect to the privacy of certain health information (subsequently published in the Privacy Rule).
What Does HIPAA Protect in the Privacy and Security Rules?
In order to answer this question, you have to take each Rule separately. The HIPAA Privacy Rule protects the privacy of individually identifiable health information by stipulating permissible uses and disclosures of protected health information. Importantly, there is a difference between individually identifiable health information and protected health information. Furthermore, only individually identifiable health information maintained in a designated record set is protected.
Additionally, HIPAA gives patient´s some rights over how their protected health information is used and disclosed. These rights protect – for example – against disclosures to health insurers when healthcare has been paid for privately (to avoid increased premiums), and the use of personally identifiable information for marketing or fundraising purposes. Patients can also request an accounting of disclosures to ensure Covered Entities are complying with the HIPAA protections.
With regards to what does HIPAA protect in the Security Rule, the standards of the Security Rule stipulate the measures that need to be put in place to protect electronic protected health information at rest and in transit. This means adequate measures must be implemented to prevent unauthorized access to systems maintaining protected data and to prevent transmissions of protected data being intercepted or mis-directed.
What does HIPAA Not Protect?
As well as any individually identifiable health information not maintained in a designated record set, HIPAA protections do not apply to any organization not covered by HIPAA that creates, collects, maintains, or transmits individually identifiable health information. Therefore, HIPAA does not protect health data collected by fitness apps or sleep trackers, or any information collected online that could be used to determine an individual´s identity and health status.
Because of these limitations, many states have introduced their own privacy and security legislation with provisions that preempt HIPAA. There are also dozens of bills being considered at the federal level which relate to consumer privacy, health privacy, and financial privacy. Many of these bills extend HIPAA protections to other areas of commerce and technology and increase what HIPAA protects – or fills the gaps in areas that HIPAA does not protect.