There are four key aspects that explain how HIPAA protects healthcare patients: Privacy of health information, security of this health data, breaches of medical records notifications and the right to obtain copies of healthcare data.
Privacy of Health Information
The HIPAA Privacy Rule gives restrictions on the individuals who are able to view healthcare data and also who healthcare data can be shared with before obtaining permission from patients. In general terms, access to health data is restricted to healthcare employees who, in order to provide healthcare services and perform any administration duties, need to view health and personal information.
Healthcare organizations can only share PHI with business associates that perform for healthcare operations services on behalf of a covered entity that needs access to PHI to fulfill a task. In cases such as this, the business associates in question must agree to keep data secure. The same rules apply for access and disclosures of PHI to other individuals or companies. Any PHI provided must be limited to the absolute minimum needed to perform the specific services the business associate is required to perform.
PHI cannot be shared with other companies before obtaining permission from the patients in question. This includes research and marketing companies.
Additionally, the Privacy Rule gives patients the opportunity to designate which individuals are permitted to obtain their health data on behalf of patients, e.g. family, friends, caregivers.
Security of Health Data
HIPAA demands healthcare organizations to implement controls to ensure any health data created, stored, maintained, or transmitted is kept secure at all times. These controls include administrative measures, physical security for paper records and electronic devices that store health data, and technical controls such as encryption, firewalls and anti-virus software. Furthermore, healthcare employees must be trained on how to adequately recognize threats like email and web-based threats, e.g. phishing. These measures are aimed to ensure that hackers and other cybercriminals cannot gain access to patients’ and plan members’ health information.
Notification of Data Breaches
Although HIPAA protects patient privacy by placing restrictions on who can access health data and healthcare organizations are required to implement security controls to keep PHI secure, privacy and security breaches remain an uncommon occurrence.
Healthcare organizations and their business associates are required by HIPAA to issue notifications to patients in the event of health data being compromised or stolen. This gives breach victims the opportunity to act to protect their identities and reduce the risk of becoming a victim of fraud. HIPAA requires notifications to be issued to victims within 60 days of a breach being discovered.
Copies of Medical Records
HIPAA gives the right to patients to obtain copies of the health information created or held by healthcare organizations. By obtaining copies of their health data, patients are given a much more active role in their own healthcare. Although in theory, one healthcare provider should be able to send health data to another provider that is also treating the same patient, certain issues remain that prevent all health data from being transferred.
By obtaining copies of health information, it is straightforward for patients to share that information with any healthcare organizations. This includes research organizations to help in studies that benefit the whole population.
One other valuable reason for obtaining copies of health data is to scan health records for errors. If a mistake is made on a health record, it could have an impact on decisions about the best treatment for patients. It is therefore critical for patients to check their medical records for errors and to correct any mistakes that may have been made.