What Consumers Need to Know About HIPAA
Between 2003 and 2009, technology changed the medical privacy landscape. Electronic medical records started replacing paper files. Patients began communicating with their doctors by email and through online portals, while pharmacies began to process prescriptions electronically. Concerned citizens began to ask how the government would address privacy and security concerns related to these electronic transmissions and to guard against unauthorized access and data breaches.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was established to do just that — protect health information for patients and their families. HIPAA is the main federal law that safeguards health data whether that data is on paper or electronic files or even expressed verbally. Health care providers and professionals and the government are required to handle health information judiciously.
The U.S. Department of Health and Human Services (HHS) is the federal agency in charge of creating rules that implement HIPAA and enforces the regulations. There are other federal laws that apply to such specific types of health information as genetic data, health information in school records and medical research.
Specifically, it's the HIPAA Privacy Rule that sets limits on how your health information can be used and shared with others and the HIPAA Security Rule that targets electronic health information and details how your health information must be kept secure with administrative, technical and physical safeguards, including passwords, and encryption so that only the folks who have a need to know about your health information have access to it.
Specific types of health information, such as data related to federally funded alcohol and substance abuse treatment, are protected by HIPAA. State laws offer additional protections and health information rights.
Health care clearinghouses are go-betweens for health care providers and health plans that process information so that it can be transmitted in a standard format between covered entities and maintained in any format or medium. Even conversations between a patient and a doctor have the same privacy protections as handwritten or electronic notes do.
As a health care consumer or patient, you have rights under HIPAA to access your own health information: to receive copies of your health information from your doctors, physical therapists and even social workers. If these records are held electronically, you can receive them in either electronic or paper form.
If you think that your health information privacy is ever violated, the U.S. Department of Health and Human Services has a division, the Office for Civil Rights, to educate you about your privacy rights, enforce the rules and help you file a complaint.
The Office for Civil Rights investigates potential HIPAA violations and assesses civil monetary penalties. State attorneys general have authority to enforce HIPAA rules as well. Individuals, though, don't have the right to sue for a violation but can file complaints with HHS.