The Health Insurance Portability and Accountability Act of 1996 or HIPAA provides data privacy and security protections for personal health information. This overview will provide you with a general understanding of the HIPAA Privacy and Security Rules and how they may impact you as a patient or healthcare provider.
What is the Health Insurance Portability and Accountability Act (HIPAA)?
Health Insurance Portability and Accountability Act or HIPAA is a federal law that was signed by President Bill Clinton on August 21, 1996. It protects the confidentiality of medical information and sets national standards for the security of electronic health information.
HIPAA applies to all types of healthcare providers, including doctors, hospitals, clinics, pharmacies, insurance companies, and other healthcare organizations. Patients have the right to know how their information will be used, disclosed, and kept confidential.
Healthcare providers must provide patients with a notice of their privacy practices. This notice must explain how personal medical information may be used and disclosed.
The History of HIPAA
The Health Insurance Portability and Accountability Act (HIPAA) was enacted on August 21, 1996. The Department of Health and Human Services issued the first set of regulations implementing HIPAA, known as the Privacy Rule, on April 14, 2003. The Privacy Rule established national standards to protect individuals’ medical records and other personal health information held by covered entities.
HIPAA Covered Entities
A covered entity is defined as a health plan, a health care clearinghouse, or a health care provider that conducts certain transactions in electronic form.
Healthcare providers: Every healthcare provider, regardless of the size of the practice, electronically transmits health information in connection with certain transactions. These transactions include:
- Benefit eligibility inquiries
- Referral authorization requests
- Other transactions for which HHS has established standards under the HIPAA Transactions Rule.
- Health, dental, vision, and prescription drug insurers
- HMO – Health Maintenance Organizations
- Medicare, Medicaid, Medicare+Choice, and Medicare supplement insurers
- Long-term care insurers (excluding nursing home fixed-indemnity policies)
- Employer-sponsored group health plans
- Government- and church-sponsored health plans
- Multi-employer health plans
Healthcare clearinghouses: Entities that process nonstandard information they receive from another entity into a standard or vice versa. In most instances, healthcare clearinghouses will receive individually identifiable health information only when they are providing these processing services to a health plan or healthcare provider as a business associate.
Business associates: A person or organization using or disclosing individually identifiable health information to perform or provide functions, activities, or services for a covered entity. These functions, activities, or services include:
- Claims processing
- Data analysis
- Utilization review
What Information is Protected?
- a patient’s name, address, birth date, Social Security number, biometric identifiers, or other personally identifiable information (PII);
- an individual’s past, present or future physical or mental health condition;
- any care provided to an individual; and
- information concerning the past, present, or future payment for the care provided to the individual
- employment records, including information about education, as well as other records subject to or defined in the Family Educational Rights and Privacy Act (FERPA); and
- deidentified data, meaning data that does not identify or provide information that could identify an individual — there are no restrictions to its use or disclosure.
How HIPAA affects health insurance and health care providers
HIPAA requires all health insurers to maintain the confidentiality of their customers’ health information.
HIPAA affects health insurance in several ways. It requires all health insurers to maintain the confidentiality of their customers’ health information. This means that health insurers cannot share their customers’ health information with anyone outside of the company without the customer’s permission. It prohibits healthcare providers from sharing patients’ health information with anyone outside of the provider’s organization without the patient’s permission. This includes sharing information with other healthcare providers, insurance companies, employers, and family members. HIPAA requires all healthcare providers to take reasonable steps to protect the confidentiality of their patient’s health information.
The Privacy Rule
The Department of Health and Human Services released HIPAA Privacy Standards. The Standards generally limit the use and disclosure of PHI to the minimum necessary to accomplish the intended use or disclosure. It also gives patients the right to request and receive copies of their records, request amendments to their records, and learns details of certain disclosures of the records.
The Security Rule
The Security rule builds on the HIPAA Privacy rule and defines how we keep PHI secure and establishes requirements to ensure the confidentiality, integrity, and availability of individual health information. These requirements include safeguards for physical storage and maintenance, transmission, and access to individual information.
What are the rights of covered individuals under HIPAA?
Covered individuals under HIPAA have the right to:
Access their own medical records
Covered individuals have the right to access, view, and copy their own medical records. They can also ask to have their records amended if they believe there are errors in them.
They can request that it can not be used or disclosed for certain purposes. They can also request that their information only be shared with certain people or entities, such as family members or doctors.
Receive confidential communications:
Covered individuals have the right to receive confidential communications from their healthcare providers.
File a complaint:
Covered individuals can file a complaint to the Department of Health and Human Services Office for Civil Rights.
What Are the Consequences of Unauthorized Uses or Disclosures of PHI?
As with civil penalties, there are different levels of severity for criminal violations.
Covered entities and specified individuals, who “knowingly” obtain or disclose individually identifiable health information. In violation of the Administrative Simplification Regulations, a fine of up to $100,000 and imprisonment of up to 5 years in prison.
Offenses committed with the intent to sell, transfer or use individually identifiable health information for commercial advantage, personal gain, or malicious harm permit fines of $250,000 and imprisonment of up to 10 years. For more health information, visit Centric Healthcare.