Editor’s Note: This blog was last updated 3/14/2018
Most of us agree that our right to privacy should include medical and health records. We all expect our doctors and healthcare entities to keep this information confidential unless otherwise specified.
But who is regulating that privacy? What procedures are in place to maintain our rights and keep our data secure? And whom do we contact if we suspect our data has been breached or mishandled?
The answer to all of these questions is HIPAA.
What is HIPAA? Legally speaking, HIPAA is defined as:
An Act to amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.
Right. Let’s see if we can simplify things just a bit.
How to remember HIPAA:
It’s not Privacy Protection Act.
It’s Privacy Accountability Act.
It’s actually Portability but that’s not memorable
— SecuriTay (@SwiftOnSecurity) April 19, 2016
Signed into law back in 1996, the Health Insurance Portability and Accountability Act, better known as HIPAA, is designed to make sure that medical information is kept confidential and private and only used in the way for which it is intended. This means that medical information can only be collected, shared, stored, and used for legitimate purposes and must be properly protected.
The kinds of health information protected by HIPAA include anything about the patient’s medical condition: what was done for or advised to the patient, information about payment and insurance, or anything that can be used to identify the individual.
The goal of HIPAA is to balance the patient’s need for privacy and security against the needs of the provider, insurer or other covered entities that collect and use health information. In some circumstances, such as the need to protect the public health from an epidemic, disclosures are permitted.
But as a general rule, if the disclosure or use is not for treatment, payment or healthcare operations, the patient’s written authorization is required.
Furthermore, the HITECH Act in 2009 made sure that the HIPAA privacy and security regulations, including the data breach notification requirements, apply not only to healthcare entities but to those business associates with whom they share health data.
These include healthcare providers (like doctors, hospitals, and labs), healthcare plans (like HMOs and PPOs) and healthcare clearinghouses that collect and process healthcare data. While not all entities that have any connection to health information may be “covered” by HIPAA, if you collect or use health information, even if it came from a third party, you must use it properly and protect it.
A key term under HIPAA is called “PHI” or protected health information. This is any health information which is about or can be linked to, a particular person, such as information about a diagnosis, treatment, or lab result.
PHI is protected no matter how or where it is collected or stored, such as on a computer, in an email, on a patient’s chart, on a post-it note, on a smartphone, or even in a voicemail. If it relates to an identifiable person’s health, it is probably PHI.
The mere fact that a person is a patient or has received treatment, or simply made an inquiry about treatment, can be considered PHI.
Why HIPAA Matters To You As A Patient
Your rights as a patient are protected under the Privacy Rule, which is defined by the Department of Health and Human Services as:
A Federal law that gives you rights over your health information and sets rules and limits on who can look at and receive your health information. The Privacy Rule applies to all forms of individuals’ protected health information, whether electronic, written, or oral.
You have a right to know about the data collection and privacy practices. You can generally (but not always) see your own health information, and make sure it is accurate. You can opt out of the patient directory so other people won’t know you are a patient. You have the right to know why your health information has been disclosed and to whom.
You can communicate confidentially with providers. For example, saying “Don’t email my medical records.” or “Only call me at a particular number.” should be treated the same as a confidential document.
And finally, you have a right to complain, both internally and to regulators, if you know or suspect that your privacy has been violated.
Why HIPAA Matters To You As An Employee
In addition to protecting privacy, HIPAA requires covered entities to provide security for PHI. The information you handle on a day-to-day business is very sensitive and extra steps are needed to make sure that it is protected, no matter where it is.
In hectic healthcare environments, this can be a challenge, particularly where patient treatment is concerned. Unlike an ordinary office, a hospital or other medical provider may have many patients, family members, staff, and others, milling about.
Therefore, you should take reasonable precautions to make sure that PHI is not exposed, like turning computer screens so that they can’t be seen by unauthorized individuals, ensuring that systems “time out” after a period of non-use, requiring users to authenticate themselves, and by keeping patient records behind the desk so they can’t be seen by unauthorized individuals. Remember, the goal is to protect PHI. Failure to achieve that goal not only damages the reputation of your employer but can also result in heavy fines. The HIPAA and HITECH laws require both covered entities and business associates to disclose whenever they have an unauthorized access to or loss of unencrypted or unsecured PHI.
Tying it All Together
There is a lot of confusion about what HIPAA does and does not require. While the 1996 law and its regulations are long and complicated, the basic principles are simple.
As an employee, the most important things you need to know is how to store, transmit and dispose of PHI. HIPAA has specific requirements for how you handle data. If you don’t know, ask!
As a patient or individual, you should know your rights and know which entities are covered under HIPAA. For more information, visit www.hhs.gov, where you can find specifics about what information is protected, and file an official complaint should you feel your rights have been violated.
Latest posts by Justin Bonnema (see all)
- Incident Response: Time Is Not On Your Side - April 1, 2019
- 5 Traits of Security Aware Parents - March 14, 2019
- Bad Habits of Senior Managers That Put Security of Organizations at Risk - March 1, 2019