The Health Insurance Portability and Accountability Act of 1996 was introduced first and foremost to protect patient rights. However, though all healthcare professionals will have heard of the legislation, relatively few patients will know about the it. This article aims to explain what HIPAA legislation is and how it protects patient privacy.
HIPAA consists of five “Titles”. Most of the titles refer to health insurance policies and how group health insurance plans are to be managed. However, when most people refer to HIPAA, they actually refer to the second title (Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform). This is the part of HIPAA that relates to data privacy, and is thus the focus of the article.
In 2003, the Privacy Rule was added to HIPAA. This gave a definition of Protected Health Information (PHI). This includes all health records, current treatment plans and diagnoses, as well as identifiers such as name or social security number that could be used to trace an individual. Examples of PHI are given below:
· Telephone numbers
· Addresses or geographical information smaller than the State level (except the first three digits of a ZIP code)
· Social Security numbers
· Fax Numbers
· Email addresses
· Medical records
· Health insurance numbers/beneficiary numbers
· Account numbers (e.g. bank account)
· Certificate or license numbers
· Vehicle license plates or other identifiers
· Device serial numbers
· URLs associated with the patient
· IP addresses
· Biometric identifiers (e.g. finger, retinal and voice prints)
· Photographs or video footage
The Privacy Rule also describes the “Minimum Necessary” rule, which states that only the information needed to complete a healthcare-related task can be shared with authorized individuals. This means that, for example, if information needs to be sent to billing, only information relating to the treatment in question is sent, and not the patient’s entire medical record.
Furthermore, the Privacy Rule also gives patients the right to request access to their medical information, to request changes to the information if they believe that it is inaccurate, or to know who has accessed their medical information. These are all important rights, as it means that patients can take a more active part in their healthcare. Importantly, these rights cannot be restricted if patients have outstanding medical bills.
The Security Rule was added to the legislation in 2005. Its primary purpose was to describe how PHI was to be protected under HIPAA. It defined three classes of “safeguards” that must be implemented to protect patient data. Examples of the safeguards are as follows:
· Administrative safeguards: clear reporting mechanisms, assignment of security personnel, PHI access management, regular training courses, yearly (or more frequent) audits
· Physical safeguards: clear desk policies, security guards, locking desks, facility access restrictions
· Technical safeguards: encryption, transmission security, two-factor authentication
The OCR conducts regular audits to ensure that all these safeguards are in place. The OCR will assess how comprehensively HIPAA is being followed, and offer corrective action plans if they see anything amiss. If a serious violation has been discovered, the OCR will prosecute the company in question. This may result in a large fine, in proportion with the nature of the violation, and in some serious cases criminal charges may be filed.