Before we try to understand why HIPAA is important, it is useful to know what it is and what are its broad contours?
To answer the first part of the question, HIPAA (Health Insurance Portability and Accountability Act) was passed in the year 1996 to safeguard the interest of the patients. At that time, it was felt that those individuals who have lost their jobs or were in a vulnerable position in their jobs. Most insurance companies were not providing them with any health cover during this period which created a heavy financial drain on the resources of such individuals. Besides, there was no legislation that protected the sensitive information of the patients from data thieves.
When HIPAA legislation was enacted, it tried to streamline the data protection measures across the healthcare industry. As the healthcare industry is dynamic in nature, this important legislation was also amended a few times to ensure that it remains relevant with the times and is able to tackle those issues that have cropped up with the changing technology. If we look at the broad contours of HIPAA, we will find that it has 5 main rules. Let’s discuss them.
1). Privacy Rule: This rule deals with the protecting the medical records and PHI of the patients. It has some conditions and limits on the uses and the disclosure of the sensitive information in special circumstances. This rule allows an individual to demand a copy of his medical record so that he can inspect it and make corrections if any error has inadvertently crept into the system. If the patient wants to inspect the copy then he has to fill specific forms that are consistent with this rule:
- Request for Access to Protected Health Information (PHI)
- Request for Accounting Disclosures Form
- Notice of Privacy Practices (NPP) Form
- Authorization for Use or Disclosure Form
- Request for Restriction of Patient Health Care Information
- Privacy Complaint Form
2). Security Rule: This rule was made to protect the privacy of personal medical records. It sets the standards, methods, and processes that health industry has to follow for the protection of the data on storage, accessibility, and during transmission. It has three different levels of safeguards built in to provide comprehensive security for the patient data.
- Administrative safeguard that deals with HIPAA security compliance team
- Technical safeguard which relates to encryption and authentication for secure data access
- Physical safeguard that deals with the protection of data storage unit within the organization facility
3). Transaction Rule: This rule relates to the transaction codes that are used in the HIPAA transaction. These codes are crucial as they ensure safety, security, and accuracy of the medical history of an individual.
4). Identifiers Rule: This rule is related to three unique identifiers that use HIPAA rules for administrative as well as financial purposes.
- National Provider Identifier (NPI)
- National Health Plan Identifier (NHI)
- Standard Unique Employer Identifier
5). Enforcement Rule: This rule is about the penalties and fines imposed on any data breach by the companies that have the custody of the medical reports of the patients.
Now the question arises why is HIPAA important?
This can be answered from the perspective of an individual as well as that of a company. Let us take the case of an individual first.
Who has to follow these rules?
The rules mentioned in the HIPAA Act have to be followed by the following people/entities.
- Health insurance companies
- Company health plan
- Some government programs (like Medicare and Medicaid)
- Doctors, psychologists, Chiropractors, and dentists
- Hospitals, nursing homes, Pharmacies, and Clinics
- And any entities that in legitimate business dealings have received the medical histories of patients
Why Is HIPAA Important to Patients?
It provides the patients with a powerful tool which they can use to get their medical records (if they want to change the service provider) to see if there is an error in their records. Patients can appoint any number of people who are able to see their file in case they are not able to do so (due to accident, illness, or any other cause).
The person who is authorized has the right to speak on your behalf if you are unable to do so. The patient can designate as many people as he trusts to be on the list who in case of emergency can take care of his interest.
HIPAA legislation is there to protect the classified medical information from unauthorized people. The harsh penalties imposed on deliberate or by mistake leak of the medical history of patients has created a sense of security in the minds of the individuals. The information protected by the HIPAA legislation include:
- The name of your doctor or any healthcare provider which has been put into your record
- Any conversation that your doctor has with other doctors, specialists, nurses or any other person, concerning your treatment
- Any information regarding you that is stored with your Insurer
- Any billing information about your treatment at any clinic
- Any other health-related information that is in the safekeeping of individuals who are mandated to follow the HIPAA law
What kind of rights I have regarding my medical record kept with the hospitals, clinics or my Insurer?
- The patient can see his medical history on demand
- The patient can make any correction that he deemed fit in those records
- The patient must be informed by the respective authority when they share his information with any third party
- The patient should have the final authority to approve of sharing of his health-related medical information for any advertisement purpose
- If the patient thinks that his medical history is shared with unauthorized people without his knowledge or he is not given access to his medical records, then he can file a complaint against those authorities who have breached the law
The importance of HIPAA is not only about patients but also in its ambit the caregivers and the health industry in general.
Any company that is linked to the healthcare industry has to follow the HIPAA guidelines strictly. Here we are providing you with the main points that your company has to follow when it is dealing with sensitive information relating to the medical history of the patients.
If there is any leakage of information from your end then you will be fined quite heavily for it.
- Informing the patients of their rights to privacy and how their information may be used
- Give the responsibility of data security of medical data stored in the office premises to an individual. He should be the nodal officer regarding data transmission and share decision in the company. He should be held responsible for enforcing the privacy law in the organization and about the safety and security of the records
- Securing the medical record of the patients and keeping them safe from unauthorized access
- Limit the disclosure of the information to the authorized party to the minimum so that the intended purpose is served
When Your Medical Records Can Be Shared?
While the HIPAA rule was enacted to protect the privacy of an individual, but this law is not absolute, has certain limitations. These limitations are put in the legislation so that it allows the smooth functioning of the health sector and there is a qualitative improvement in the quality of services in health centers. Here we are giving you some of the limitations placed in the legislation when your information regarding your medical history can be shared.
- For your own treatment, care, and coordination with other health services
- To pay the hospitals and doctors for the services they have rendered for your treatment in order to run their business profitably
- With your immediate family members who are involved in providing you health care or are paying your medical bills unless you object to such sharing of your medical information
- To ensure that the doctor give high-quality care and the nursing homes are clean are well-maintained
- To protect public health in case there is an epidemic
- To prepare police reports if there is a case of gunshot wounds, stabbing, and others
The above information must have given you an idea as to why HIPAA is important to the patients? But questions may arise whether there are some entities that are not mandated to follow the rules laid down in the HIPAA Act? The answer to this question is yes as it was found that in certain cases, medical history can be shared due to greater public good and also due to the fact that it is essential for some business to function profitably.
Who don’t have to follow the HIPAA rules
- Life Insurers
- Employers (privacy rules don’t apply to employment records)
- Most schools and school districts
- Workers compensation carriers
- State agencies (such as child protective services)
- Law enforcement agencies
- Many municipal offices
What Are the Penalties Imposed for HIPAA Violations?
In case there is any violation to the HIPAA rule then the authorities have the power to impose penalties which vary depending on the breach. The penalty depends on willful leak or leak done unknowingly. Besides, the court also looks at the number of times leak had taken place from the same individual/office before imposing the quantum of penalties.
We hope after reading this article, you will have a clear picture of why HIPAA is important. Now it’s time for you to go back and review all types of information that you are collecting to assess whether you actually need to be HIPAA compliant or not.
HIPAA legislation is changing constantly and although it seems complicated, it’s imperative to ensure that everyone is in compliance. As one must be completely aware of these HIPAA directives, one needs to be prepared for the changes too. With continuous Healthcare reforms and other disruptive movements, this industry needs flexibility.
Mobisoft Infotech is a digital healthcare technology development partner that helps healthcare startups and organizations in building HIPAA compliant apps and solutions.
Shailendra Sinhasane (Shail) is the co-founder and CEO of Mobisoft Infotech. He has been focused on cloud solutions, mobile strategy, cross-platform development, IoT innovations and advising healthcare startups in building scalable products.