HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It is a law that protects the rights and privacy of patients by introducing healthcare standards. Compliance with HIPAA is required by organizations and individuals who handle protected health information (PHI).
Not all patients recognize that the act is about safeguarding them and their personal information. However, Understanding the legislation helps them ensure they always receive proper and secure support. Moreover, HIPAA knowledge helps patients champion themselves on every step of their personal health journeys.
Related: HIPAA compliant email: the definitive guide
What is HIPAA?
HIPAA is a law enacted to reform the healthcare industry and reduce fraud related to health transactions. The law applies to covered entities (healthcare providers, health plans, and healthcare clearinghouses) and their business associates. It establishes national standards that protect PHI from disclosure without a patient’s consent or knowledge.
Navigating HIPAA compliance requires a basic understanding of the Privacy and Security Rules. The Privacy Rule safeguards PHI, ensuring it is handled with confidentiality and integrity. The Security Rule maintains the security of electronic PHI (ePHI). Among these two rules is the Enforcement Rule, which provides standards for enforcing HIPAA and penalizing uncompliant organizations.
The HITECH Act promotes the adoption and meaningful use of technology as it pertains to health information. With HITECH came two additional rules:
- Breach Notification Rule: requires organizations to provide notification following an unsecured PHI breach
- Final Omnibus Rule: incorporates HITECH by improving patient privacy protection
HIPAA mandates that organizations comply with its regulations by implementing technical, physical, and administrative safeguards. The rules, however, can be complex and confusing to patients who may not understand how the rules protect them.
Read about: Understanding and implementing HIPAA rules
HIPAA from the patient perspective
HIPAA protects the rights and privacy of patients, empowering and giving them control over their health data. Understanding these rights lets patients make informed decisions about who they see, how they see them, and what type of treatment plan to follow. Furthermore, patients can make informed decisions about how their PHI is used, viewed, and accessed.
There are four key protections that HIPAA extends to patients:
- Privacy of health information
- Protection of health information
- Warning after PHI breaches
- Control of health records
By understanding and exercising their rights under HIPAA, patients who want it can have greater responsibility over their healthcare. Why might this be important? Here are four reasons why understanding HIPAA gives patients an edge.
Patients can restrict PHI exposure
By knowing HIPAA, patients can figure out what personal information they want to be seen by different medical professionals and/or family members. They have the right to give their authorization and revoke it at any time. While there are times when this consent can be ignored (e.g., in some emergencies), for the most part, it must be followed.
More Info: Patient consent: What you need to know
Patients can remove inaccurate information
Understanding HIPAA allows patients to access their personal medical information and be notified of any inaccuracies in their PHI, records, and billing information.Such erroneous information can result in treatment delays, misdiagnosis, and added costs. If a patient asks for a correction, healthcare organizations must update their records.
Patients can identify identity theft
Patients can prevent fraud and abuse by knowing HIPAA. Medical identity theft can have a huge impact on a patient who might face:
- Financial consequences
- Damaged healthcare records
- Disruption to care
Under HIPAA, healthcare organizations must notify patients after a breach. With this knowledge, patients can then monitor their accounts, look for signs of scams, freeze their credit, and inform businesses (e.g., banks) of potential future issues.
Patients can engage in their own care
Finally, by knowing HIPAA, patients can reduce medical mistakes, engage in their personal care, and properly work with (rather than against) their treatment plan. By understanding their health rights, patients can make better-informed decisions. Proper patient engagement is known to improve health outcomes, patient satisfaction, and healthcare efficiency.
Demonstrating HIPAA compliance to patients
Here are a few things that healthcare professionals can do to help their patients learn and appreciate HIPAA while demonstrating their HIPAA compliance.
1. Keep patients informed. For example, healthcare organizations must share a notice of privacy practices (NPP), which outlines their privacy policies, how they handle PHI, and how they notify patients of their rights.
2. Listen to and give patients what they want. The Privacy Rule requires patients to give written authorization before organizations use, disclose, release, or share PHI.
3. Give patients access to their information. Under HIPAA’s Right of Access, patients have the right to see and/or procure copies of their health records. They also have the right to decide how to receive it, if they want their records viewed by someone else, and if they want to add any corrections.
4. Protect patients’ PHI. The HIPAA Security Rule requires strong safeguards to protect PHI from breaches and viewings. Such safeguards might include encryption, access controls, firewalls, and communication through HIPAA compliant email.
Enhancing not hindering the patient experience
To some, HIPAA can be seen as a hindrance to patient care but really, it is a protector. HIPAA helps patients who want a more active role. The act’s purpose is to protect patient privacy and security and not that of healthcare organizations. By following HIPAA regulations, healthcare providers give assurance that patient information is protected from unauthorized access, use, and disclosure.
See also: Patient experience and HIPAA: What you need to know
FAQs
What is protected health information (PHI)?
PHI is any information held by a covered entity or business associate that concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual. This includes a wide range of identifiers that could be used to identify the individual.
What if a patient requests their medical records electronically?
Patients have the right to request their medical records electronically under HIPAA. According to the HHS, "The Privacy Rule generally requires HIPAA covered entities (health plans and most health care providers) to provide individuals, upon request, with access to the protected health information (PHI) about them in one or more ‘designated record sets’ maintained by or for the covered entity. This includes the right to inspect or obtain a copy, or both, of the PHI, as well as to direct the covered entity to transmit a copy to a designated person or entity of the individual's choice."
What should I do if a patient wants to restrict how their information is shared?
Patients can request restrictions on the sharing of their PHI under HIPAA. Healthcare professionals must consider and document these requests while ensuring compliance with HIPAA regulations and ensuring that restrictions do not interfere with treatment, payment, or healthcare operations.
What if a patient requests an accounting of disclosures of their PHI?
Patients can request an accounting of disclosures of their PHI under HIPAA. Covered entities must provide patients with the requested information, including details of disclosures made, within the specified timeframe.