Many patients know little about HIPAA. Whilst medical staff receive extensive training on the legislation, learning both how to interpret it and how to implement it in their daily practice.
Yet, very few patients are informed about the Health Insurance Portability and Accountability Act of 1996, and thus do not know how it is used to protect their data. Patients do not need to know all the minute details of the Act, but having some level of understanding is beneficial so that they can be informed about their rights.
What is HIPAA?
HIPAA was introduced in 1996, initially to deal with the complexities of transferring group insurance policies between employers when employees were moving between jobs. However, its reach far extends the health insurance sector: now, when most people think of HIPAA, they think about data privacy laws. Title II of the act deals directly with the field Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform.
This may seem long and unwieldy, but it essentially lays out the guidelines for determining what protected patient data is, how it should be protected, the rules for enforcement and also the policies that should be in place should a breach occur.
How does HIPAA protect patients?
Now that we have explained what HIPAA is and aims to do, we can now begin to understand how HIPAA requires healthcare providers to fulfill their requirements. The Privacy Rule, added to HIPAA in 2003, defined protected health information (PHI) as any fact or piece of information that can be used to trace and identify an individual. This includes things such as names, social security numbers, addresses (though not the first three digits of ZIP code), IP addresses and biometric data such as retinal prints. Of course, all medical records are also PHI. The definition of PHI is important, as it helps healthcare professionals identify sensitive information and protect it.
The next addition to HIPAA, the Security Rule, advanced patient protections by outlining all the safeguards necessary to protect PHI. It divides these safeguards into three categories: administrative (such as regular employee training and comprehensive reporting mechanisms), physical (such as clear desk policies, secure work areas and locking desks) and technical (usually involving software security). Failure to implement any of these safeguards, or alternative and equally-effective solutions, will attract penalties from the Office for Civil Rights.
How does HIPAA affect me?
It may seem like all of these definitions and safeguards are very far removed from patients, but this is not necessarily the case. HIPAA awards patients with many rights, such as the right to access their medical information at any time without undue delay, or the right to have their medical records corrected if the can show there was a mistake.
Importantly, HIPAA gives patients the right to privacy. It does this by ensuring that no patient data is shared unnecessarily with unauthorized individuals, both within the healthcare sector and those trying to target it via cyber attacks.