The Health Insurance Portability and Accountability Act was introduced in 1996 to ease the transfer of health insurance plans between employers if an employee was moving jobs. Even though it still regulates many aspects of health insurance, when most people talk about HIPAA they refer to its sections on data privacy.
Since its introduction, HIPAA has dramatically changed how patient data is handled by healthcare professionals. It puts patient privacy at the fore, defining “protected health information” (PHI) as any piece of information that can be used to identify individuals. These can include names, birthdays, social security numbers, license numbers, IP addresses, home addresses and biometric data such as finger or retinal prints. These pieces of information, alongside the medical records themselves, are protected by HIPAA and must not be shared with unauthorized individuals. The definition of PHI, as well as the rules stipulating how and when PHI can be shared, are laid out in the Privacy Rule.
Why should patients care?
This emphasis on patient privacy is the main reason why patients should care about HIPAA – it is the main piece of legislation protecting them from fraud. The HIPAA Security Rule outlines three main categories of safeguard – administrative, physical and technical – that must be in place to protect patient data. All serve an important role in protecting patients from fraud. Technical safeguards include measures such as encryption or two-factor authentication and make it hard for cybercriminals to access patient data. Physical safeguards such as clear desk policies prevent outright theft of data. Administrative safeguards are often considered less important but are essential. HIPAA is a complicated document, and employee training can dramatically reduce the incidence of breaches, whilst having clear means of reporting violations can prevent more damage being done.
All of these safeguards serve the same purpose: maintaining the integrity of patient data. Without such integrity, patients are at high risk of becoming victims of fraud. Medical data is highly sought-after by cybercriminals. It is considered to have a longer “shelf life” than things such as credit card numbers, which can be cancelled as soon as theft is suspected. Additionally, the large amounts of information contained in medical records can be recombined to create a “new identity” for health insurance fraud.
There is also an inherent worth to keeping health records private. The vast majority of patients would not like their medical history to be accessible by anyone, be it from fear of stigma or a simple desire to keep their private life private.
Patient Rights Under HIPAA
HIPAA also aims to give patients agency over their own healthcare. Under HIPAA, patients can access their medical record at any time without undue delay, in any format that is most convenient to them. They can also request to have their data sent on to another healthcare professional or any other nominated recipient. All requests for medical records should be fulfilled without undue delay, irrespective of whether there are outstanding healthcare bills. Patients can also request changes to their medical records, or ask to know who has accessed the information.