Patients believe, and reasonably assume, that the information they share in confidence will remain confidential. While there are numerous privacy laws and regulations aligned to Personally Identifiable Information (PII) and especially Sensitive Personally Identifiable Information (SPII), there are specific rules tied to health information. In the United States, the privacy of that data is governed by the Health Insurance Portability and Accountability Act of 1996 (HIPAA or the Kennedy–Kassebaum Act), signed into law on August 21, 1996.
At its heart, HIPAA maintains that information gathered and recorded in association with the care of a patient is confidential. Disclosing any PII or SPII to third parties for commercial purposes without consent undermines trust and violates the principles of informed consent and confidentiality. However the harm extends to the integrity of the patient-physician relationship for health information. HIPAA stipulates how healthcare and healthcare insurance industries should safeguard protected health information (PHI) from fraud and theft.
HIPAA has five titles:
- Title I protects health insurance coverage for workers and their families when they change or lose their jobs.
- Title II, also known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.
- Title III sets guidelines for pre-tax medical spending accounts
- Title IV sets guidelines for group health plans
- Title V governs company-owned life insurance policies
For security and privacy practitioners, there are two HIPAA rules that protect the management and use of health information:
- Privacy Rule - gives patients rights over their health information and sets rules and limits on who can look at and receive that information. The Privacy Rule applies to all forms of individuals' protected health information, whether electronic, written, or oral.
- Security Rule - requires security for health information in electronic form.
Which Organizations Must Comply with HIPAA?
The organizations that must adhere to HIPAA are referred to as “covered entities.” Covered entities encompass:
- Health Plans - these entities include health insurance firms, health maintenance organizations or more commonly referred to as HMOs, company health plans, and some government programs like Medicare and Medicaid.
- Health Care Providers - these entities create an electronic paper trail that includes but is not limited to billing information. Doctors, clinics, hospitals, psychologies, chiropractors, nursing homes, pharmacies and dentists fall under this category.
- Health Care Clearinghouses – these entities process and standardize health information that they receive from other entities
“Business associates” include contractors, subcontractors, and other third parties that may have access to health information as part of providing a service. Business associates are obligated to follow HIPAA where applicable.
Which Organizations are Exempt from HIPAA?
While “covered entities” are not the only organizations with PHI, they are the ones that draw scrutiny from regulators. Certain organizations may also possess PHI or other health-related information, but are generally exempt from HIPAA regulation. These include but are not limited to life insurance companies, schools, state agencies, law enforcement, and other groups.
What Data is in Scope?
The type of data that is in scope under HIPAA includes information generated and shared by healthcare providers and related entities.
- Medical records
- Health insurance
- Other health information
How Should Health Information be Protected?
HIPAA provides high-level guidance for protecting health information. These recommendations are for covered entities and business associates to:
- Deploy safeguards
- Limit use and disclosure
- Limit access
- Implement training for employees
What are Patient Rights Regarding Their Health Information?
Patients have the following rights when it comes to their health information:
- Obtain a copy
- Ensure it’s correct
- Limit use or sharing, before it happens
- Restrict how it’s used or disclosed
- Obtain a report on when and why it was shared
Patients can also file a complaint with HHS if they believe their right to know and control their own health information is being denied.
What are the Permitted Uses of Health Information?
Health information can be used and shared for the following purposes:
- Enabling treatment and care coordination
- Paying providers for your treatments
- Enabling family, friends, and others individuals to support or manage a patient’s care
- Ensuring quality treatment
- Ensuring that care facilities are clean and safe
- Protecting public health
- Reporting to law enforcement
Unless superseded by law, patients decide who has access to their information.