For almost 20 years, you've been hearing about the Health Insurance Portability and Accountability Act (HIPAA), and you've probably signed your fair share of HIPAA forms at the doctor's office. But what exactly is HIPAA? Why do you need it to protect your personal health information?
Basically, HIPAA protects your medical information and requires anyone who wants access to your health care records to go through steps that show that they are authorized. HIPAA came into existence in 1996. Prior to 1996, there was no national standard for how to protect health information, and health records were kept on paper. These documents were stored in rooms or locked file cabinets in doctors' offices and sent out at the discretion of the office staff. Rules about access to this paper-based personal health information varied at the state and local level.
Protected Health Information: Definition and Access
As the computer age began and the electronic transmission of health records became possible, the U.S. Department of Health and Human Services devised HIPAA to establish a definition of protected health information. Today, protected health information (PHI) includes any information about you that is received by or generated by a health care provider, a school, an employer, a health insurance company, or a life insurance policy. Information from the past, present, and future is covered. It doesn't matter how that information was received, whether spoken, written, faxed, emailed, or part of an electronic medical record. HIPAA states that, if it pertains to you and your health, that information cannot be shared without your permission.
HIPAA also designates who has legal access to your health information. First of all, you do. HIPAA makes it very clear that patients have the right to see their medical records, to make amendments to those records, and to have copies of those records.
Who else has the legal right to access your information? Covered entities do. Covered entities include many of the same groups labeled by HIPAA as responsible for safeguarding your personal health information: health plans, either private or governmental; health care providers such as nurses, doctors, and pharmacies; and health care clearinghouses.
You, the patient, has the right to restrict who sees your health care information, so according to HIPAA, any entity that wants to access your health information needs your consent. Those forms that you sign when you visit your doctor grant permission to the doctor or nurse, to the insurance company, and to the clearinghouses to access your information. Any other person or legal body needs additional authorization.
HIPAA also paved the way for the Privacy Rule. According to that rule, all covered entities must protect electronic health information and educate patients about their rights. HIPAA and the Privacy Rule ensures that you are given a clear written statement describing how health care providers and other covered entities are able to use or share your information. HIPAA also gives you a way to report potential violations to your privacy and describes penalties for such violations.
To summarize your rights under the Privacy Rule, you are entitled to:
- Have privacy protection for your health information.
- Have restrictions on who has access to your information.
- Give consent to release your health information.
- View and receive a copy of your own medical records.
- Seek recompense if your privacy protections are violated.
HIPAA protects every form of your personal health information, past, present, or future, wherever it goes. As long as it remains in the hands of one of the groups listed above — health care providers and processors — the parties who transmit your health information are responsible for obeying HIPAA, for informing you about your rights, and for protecting your information. In this way, the Health Insurance Portability and Accountability Act has been guarding your personal health information for nearly a generation.