What Exactly Is Protected By HIPAA?

HIPAA

HIPAA, or the Health Insurance Portability and Accountability Act of 1996, is a federal law that enables the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. But, what exactly is protected by this federal law, and how does it affect you as a patient? Keep reading below to learn more!

What Is HIPAA?

As mentioned above, HIPAA’s primary purpose is to protect patients’ information from being disclosed without their consent. But, also stated in this law are different rights you are entitled to, along with specific rules for following this law and how it should be followed. For example, One of the areas HIPAA protects is PHI, also known as Protected Health Information. PHI includes any health information created or received by a healthcare provider, such as the individual’s physical or mental health conditions, along with information about any healthcare services provided to an individual and payment for such services. It also protects any data transmitted in any form or medium, including paper, electronic, or verbal communications.

Other types of data or information protected by PHI includes individually identifiable information such as a patient’s name or initials, DOB, SSN, e-mail address, phone numbers, and patient demographics and any medical information related to the patient such as diagnoses, health conditions/status (physical and mental), disease/illness, or lab/radiology results.

So, Who Must Follow These Laws?

According to HIPAA regulations, “covered entities” must follow this law. Covered entities include:

Health Plans, including health insurance companies, HMOs, company health plans, and certain government programs that pay for health care, such as Medicare and Medicaid.

Most Health Care Providers, those that conduct certain business electronically, such as electronically billing your health insurance—including most doctors, clinics, hospitals, psychologists, chiropractors, nursing homes, pharmacies, and dentists.

Health Care Clearinghouses, entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

In addition, business associates of covered entities must follow parts of the HIPAA regulations.

Often, contractors, subcontractors, and other outside persons and companies that are not employees of a covered entity will need to access your health information when providing services to the covered entity. These entities are called “business associates.” Examples of business associates include:

Companies that help your doctors get paid for providing health care, including billing companies and companies that process your health care claims

Companies that help administer health plans.

People like outside lawyers, accountants, and IT specialists

Companies that store or destroy medical records

IT services companies such as BTC that manage and support applications that process protected health information and or personal identifying information.

Covered entities must have contracts in place with their business associates, ensuring that they use and disclose your health information properly and safeguard it appropriately. Business associates must also have similar agreements with subcontractors. Business associates (including subcontractors) must follow their contracts’ use and disclosure provisions and the Privacy Rule and the Security Rule’s safeguard requirements.

What Are Your Rights As A Patient?

Essentially there are six principal patient rights under HIPAA, which include:

Notification of Privacy Practices

HIPAA-covered entities are required to notify you about how your medical data will be used. This information is provided in a Notice of Privacy Practices or NPP. The NPP should be posted on your provider’s website and given to you to sign when you first visit a new healthcare provider or sign up with a health plan.

Right to Obtain a Copy of Your Health Data

One of the most critical patient rights under HIPAA is the right to view or obtain a copy of your health data. By getting a copy of your health records, you can check the data for errors, keep a copy for your records, and share your health information with whoever you wish.

You can exercise this right by submitting a request in writing. Most healthcare providers will require you to fill in a form. A copy of your medical records must be provided within 30 days. You can specify how you want to receive the information – electronically or a physical copy.

Right to Correct Errors in Your Health Records

After obtaining and checking your health records, you may discover an error such as a medical condition that has not been recorded. HIPAA gives patients the right to make changes to their health information to correct mistakes by submitting a request in writing.

Right to Find Out Who Has Received Your Health Data

HIPAA includes a right to an accounting of disclosures of health data. If requested, a covered entity is required to provide information about who has received an individual’s health data over the past six years.

Right to Restrict Sharing of your Health Data

Patients have the right to restrict the sharing of their health data for particular purposes other than treatment, payment, or healthcare operations. HIPAA covered entities are not permitted to sell your health data or use it for marketing, advertising, or research, without first obtaining authorization to do so in writing.

Patients can also decide with whom their health information can be shared, such as family members, friends, caregivers, legal representatives, or other entities. They can also request that information is not shared with other individuals or groups.

Right to File a Complaint About a Privacy Violation

If an unauthorized individual has accessed your health data, has been impermissibly disclosed, or you believe that any aspect of HIPAA Rules has been violated, you have the right to file a complaint.

The Department of Health and Human Services’ Office for Civil Rights (OCR) will investigate the complaint. If OCR determines that HIPAA Rules have been violated, fines can be issued for noncompliance.

So, How Can BTC Play A Role In This Process?

Boston Technology Corporation’s tech team members, which recently participated in a HIPAA compliance certification training to refresh and enhance their understanding of current HIPAA compliance standards, know how to utilize technology to keep patients’ personal health and identification information safe. To see how they can work with your organization to ensure that your patients’ health information is protected from potential threats or data breaches, click here.

Topics