What is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) became effective on July 1, 1997. Initially, the primary goal of HIPAA was to protect an insured person's insurability. Before this law, if an insured person lost insurance coverage for some reason, such as changing jobs, they could be required to prove their insurability before obtaining new coverage. For most people this wasn't a problem; however, for people with chronic health problems or whose health deteriorated while they were covered, it was a serious problem. Such people lived in constant fear of losing their jobs and thereby losing their health insurance. As a result of HIPAA, if a person has been insured for the most recent 12 months, a new insurance company cannot refuse to cover the person or impose a waiting period before providing coverage. HIPAA also offered federal protections to those with pre-existing conditions for the first time.
It soon became evident that successful HIPAA implementation would require a major upgrade to communications between health care providers, insurance plans and employers. Many security, privacy, and confidentiality issues would also have to be addressed as technology and the means of sharing health information evolved. So, the law was written to include those kinds of mandates, with significant penalties for non-compliance, including monetary fines and criminal penalties such as prison time for serious, intentional privacy or security violations.
Congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act as part of the American Recovery and Reinvestment Act (ARRA) of 2009, which made several significant modifications to HIPAA. On January 25, 2013, the US Department of Health and Human Services (HHS) published the Omnibus Final Rule, which implemented changes to HIPAA pursuant to the HITECH Act and the Genetic Information Nondiscrimination Act (GINA) of 2008. The Omnibus Final Rule also made additional changes to the HIPAA regulations. The Omnibus Final Rule became effective on March 26, 2013, and its compliance date was September 23, 2013.
The most well-known aspects of HIPAA now are those created to ensure privacy and security in patients' health information. The information below concerns the aspects of HIPAA designed to protect health information.
Who is HIPAA for?
HIPAA is for you. It protects your health information that is kept by providers (doctors, clinics, hospitals, etc.), health plans (insurance companies, Medicaid), and a type of entity called a health care clearinghouse, which is often a business that does medical billing for providers so that they can submit proper claims to insurers. These are called Covered Entities. Your protected health information (PHI) is health information that is kept or created by a Covered Entity and can be used to identify you individually.
Who does HIPAA apply to?
HIPAA only applies to Covered Entities and their contractors, which are called Business Associates. When a Covered Entity hires a Business Associate to perform work which would give them access to your PHI they must sign an agreement called a Business Associate Agreement (BAA). HIPAA requires the BAA to hold the contractor to the same standards as the Covered Entity regarding protection of your health information. Also, the contractor, or Business Associate, can only have access to the parts of your PHI that they need to do their jobs. So, for example, if a Covered Entity hires a Business Associate for the sole purpose of calling patients to remind them of their appointments, the Business Associate would only have access to the information they need to do that. In this case that would usually be just your name, phone number, provider and appointment time.
What does HIPAA do?
HIPAA requires Covered Entities and Business Associates to keep your Protected Health Information private and secure.
The Privacy Rule
HIPAA requires Covered Entities and Business Associates not to disclose your PHI except in well-defined, limited circumstances. A Covered Entity must disclose your PHI to you or to a third party that you authorize to receive it. Other HIPAA-permitted disclosures include when your health providers need to discuss your health information with each other for treatment purposes or when your provider submits a claim to your insurance company. Sometimes, your health information must be disclosed because it is required by law or because it is the subject of a court order or subpoena.
The Privacy Rule also requires that Covered Entities keep any paper records private, to avoid unauthorized disclosure. This usually means that paper records are kept in a secure location such as a locked cabinet.
A full explanation of HIPAA-authorized disclosures is available here: https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html
The Security Rule
The HIPAA Security Rule requires Covered Entities to keep your Protected Health Information secure. This means that electronic PHI (ePHI) should be stored only on encrypted, password protected devices. Exchange of your ePHI should only occur over networks with appropriate security safeguards (encryption, etc.) in place.
How Can I Report a HIPAA violation?
If you believe PHI was disclosed in violation of HIPAA or if you believe that PHI has not been kept private and secure as required by HIPAA, you can file a complaint in ONE of the following ways:
- Contact the Privacy Officer for the Covered Entity. All Covered Entities are required by HIPAA to appoint a person as the Privacy Officer. Their name and contact information should be posted on the Covered Entity's website and should be made available to you if you ask them for the information. The information is required to be part of the “Notice of Privacy Practices" that all patients receive.
- File a Complaint with HHS
You can file a complaint directly with the United States Department of Health and Human Services (HHS), Office of Civil Rights (OCR): https://www.hhs.gov/hipaa/filing-a-complaint/index.html