An Introduction to HIPAA

HIPAA stands for the Healthcare Insurance Portability and Accountability Act. The law was signed on August 21^st, 1996 with the initial goal to improve the accountability and portability of health insurance for employees changing jobs, and to combat waste, fraud, and abuse in the healthcare industry. In addition, the legislation promoted the use of health savings accounts through tax breaks, introduced rules seeking to simplify healthcare administration, and provided coverage for those with certain pre-existing conditions. After the law was signed, the department of Health and Human Services began work on creating HIPAA privacy and security rules which are in effect today. HIPAA regulates the use of Protected Health Information (PHI) in the healthcare economy today. Understanding your rights under HIPAA is important to make sure your information is kept private and appropriately shared.

Your health information is protected under HIPAA whether it is stored on paper or electronically, and you have specific rights under the law. You have the right to see or get a copy of your records. Due to the specifics involved with your care, you might be able to see only a portion of your medical records, but you always have the right to ask your provider. This is important, because reviewing your medical records can help improve your health.

If you find a mistake in your medical records, you have the right to ask for a correction. You can submit a written statement of disagreement which will be kept with your permanent medical records. Typos and data entry mistakes are not uncommon in the medical field. This right gives you the ability to make sure all your medical records are correct.

You have the right to know how your health information is used and shared. Your providers can share your information without your permission to help determine how to treat you, but they can’t share it for example, with an employer without your permission. You can choose which family members or friends can see your information. This is important when family and friends are assisting in your care and might need access to your records. For example, if you are incapacitated after a surgery and need your family member or friend to pick up a prescription, you can authorize them to do so.

Your provider might need to share your information for treatment, payment, and healthcare operations. Medical providers can share your information with a specialist to assist in your treatment, or with your insurance company to arrange payment for the treatment you receive. A hospital where you received treatment might use your information to evaluate the performance of staff, or to improve other healthcare operations. These instances of information sharing do not require your permission under HIPAA.

You have the right to an accounting of disclosures. This is a report of who has seen your health information.

You have the right to tell your provider how you want to be contacted. For example, you can designate if a provider can leave a message when calling you. This is an important right if you want to keep sensitive health information out of voicemail or your email. It’s important to have the right to designate how you are contacted. You don’t want sensitive health information accidentally left on your work voicemail. This right allows you to make sure your health provider does not call your work phone or leave a message.

All of your rights under HIPAA are spelled out in the Notice of Privacy practices which should be given to you or posted at your medical providers’ office. It lets you know how your information is used and shared and how your rights are protected. Often you will be asked to sign a form acknowledging that you have read the Notice of Privacy practices. Take your time to understand the rights spelled out in the notice. If you don’t have time to read and digest the notice at the office, you have the right to request a copy of the notice at any time. If you are not clear about the information in the Notice of Privacy practices, ask your healthcare provider to help explain it.

Under the HIPAA security rule, your providers are required to keep your information secure. Your provider should have administrative safeguards in place to make sure your information is protected. Physical safeguards should also be instituted at your medical provider. For example, security locks, alarm systems, and the strategic positioning of printers and computers should be employed to protect your privacy. Technical safeguards should also be in place to protect your information from hackers or identity thieves. Password protection, firewalls, and encryption are effective technical safeguards. If your provider is not complying with HIPAA they could be subject to fines and penalties.

You have the right to file a complaint if you think your rights have been violated. Contact the U.S. Department of Health and Human services to file a complaint. The easiest way is to go to HHS.gov website. Anyone can file a complaint, and it can be done electronically via the OCR Complaint Portal, by mail, or by email (OCRComplaint@hhs.gov). If you have questions about the complaint process you can call 1-800-368-1019 to speak to the Deparment of Health and Human Services, Office for Civil Rights.

References

1. gov: Health Information Privacy
2. gov: Your Rights Under HIPAA
3. Your Health Information, Your Rights
4. HIPAA Law and the Privacy Rule to Protect Your Medical Information
5. HIPAA Combined Regulation Text PDF
6. HIPAA History