The majority of Americans know that HIPAA relates to healthcare providers, but many people do not realize how important HIPAA is to patients.
The Health Insurance Portability and Accountability Act
The Health Insurance Portability and Accountability Act of 1996 – or HIPAA – is a federal law that is applicable to health plans,, healthcare providers, and healthcare clearinghouses. HIPAA likewise applies to vendors – business associates – that carry out functions for HIPAA-covered entities that require access to protected health information (PHI).
Bill Clinton signed HIPAA into law in 1996, although the law has been updated through the years, particularly in 2000 – the HIPAA Privacy Rule update, in 2003 – the Security Rule update, and in 2009 – the Breach Notification Rule update.
At first, HIPAA was meant to enhance the health insurance system and make the administration of healthcare simpler; however, it has since been broadened substantially. Now HIPAA covers patient privacy, allowable uses and disclosures of health information, and data security.
HIPAA was primarily introduced to help consumers rather than healthcare providers, but it is complex and not fully understood by a lot of patients and health plan members. This post significantly simplifies HIPAA and clarifies why it is vital to patients.
Why is HIPAA Vital to Patients?
There are four main elements of HIPAA that make it vital for patients: Privacy of health data, security of health information, medical records breach notifications, and the right to acquire copies of healthcare information.
Privacy of Health Data
The HIPAA Privacy Rule limits the people who can view healthcare information and those with whom healthcare information may be shared without first obtaining consent. In general, access to health information is limited to healthcare staff who need to view health and personal data in order to provide healthcare services and complete administration duties.
Healthcare organizations may only disclose PHI with business associates that carry out healthcare operations services for a covered entity that need PHI access, for example, mailing vendors, transcription service providers, and payment processors. In these cases, those business associates need to agree to maintain data security and similar rules apply to PHI access and disclosure as to HIPAA-covered entities. Any PHI that is shared should be restricted to the minimum required amount necessary for the business associate to provide its contracted services.
Authorization should be acquired from patients prior to sharing their PHI with organizations for other reasons, such as research and marketing.
The Privacy Rule likewise permits patients to specify who is allowed to acquire their health information on their behalf – Friends, family members, or caregivers.
Security of Health Information
HIPAA requires healthcare companies to employ safeguards to make sure any health information generated, stored, or sent is kept protected all the time. Those controls consist of administrative measures, physical protection for paper records and digital devices that retain health information, and technical controls such as encryption, anti-virus software, and firewalls. Healthcare personnel should likewise be trained how to identify threats including phishing emails and other email and internet-based threats.
Medical Records Breach Notification
While HIPAA safeguards patient privacy by putting limitations on who could access health information and healthcare providers need to apply security measures to keep PHI safe, privacy and security breaches could still occur.
HIPAA requires healthcare providers, health plans, healthcare clearinghouses and their business associates to notify patients in the event that their health data is exposed or stolen. This enables breach victims to do something to safeguard their identities and reduce the risk of falling victim to scams. Under HIPAA, notifications must be sent within 2 months of the discovery of a breach.
Getting Copies of Medical Data
HIPAA gives patients and plan members the right to obtain copies of the health data generated or stored by healthcare companies. By getting copies of health information, patients could have a more dynamic role in their own healthcare.
Although theoretically, a healthcare provider must transmit health data to another provider giving treatment to the same patient, there are still barriers that prevent the transfer of all health data.
By getting copies of health data, patients could easily share their data with another healthcare company, or provide that information to companies conducting medial research.
One other valuable reason for getting copies of health information is to see if there are errors in health records. If an error is made documenting health information, it can have negative consequences for patients, and may influence doctor’s decisions about the best treatment. It is thus essential for patients to check their medical records for mistakes and ensure errors are corrected.
HIPAA Rules Do Not Cover all Healthcare Providers
Although the above rights and protections are applicable to the majority of healthcare providers and health insurance providers, they don’t apply to ALL healthcare organizations, even when those institutions seem to offer identical services to HIPAA-covered entities and gather similar types of information.
For instance, HIPAA doesn’t apply to health app developers, except if they are hired by a HIPAA covered entity to create apps or offer apps to patients. HIPAA is not applicable to life insurance firms, workers compensation plans, employers, educational institutions, a lot of state agencies, law enforcement bureaus, the media, and many municipal offices.
As a result, the protections laid down by HIPAA don’t apply to those organizations.