HIPAA Basics

What is HIPAA and why was it created?

HIPAA stands for Health Insurance Portability and Accountability Act. This federal law was passed in 1996, and it was designed to create privacy standards and protect patient medical records without inhibiting a doctor or organization’s ability to provide high-quality health care. If you’re providing any type of health information to a doctor, hospital, or health plan, this information is subject to certain protections under HIPAA.

Before the digital age, it was much more difficult to share healthcare information. But as more medical records became digital (and sharable), concerns rose about the privacy of these records. HIPAA was created to implement universal federal standards for privacy while also streamlining the transfer of information among providers, health plans, and patients. In other words, HIPAA protects patient health information without interfering with a patient’s access to healthcare.

HIPAA also helps eliminate fraud and abuse within the healthcare system by establishing data handling and verification guidelines. These reduce fraudulent claims while also streamlining payment processes. Additionally, HIPAA makes it easier for individuals to maintain insurance coverage if they move between jobs.

Who is covered by HIPAA?

HIPAA applies to health plans, providers, and clearinghouses that transmit health information electronically. Those who use or have access to protected health information on behalf of these organizations are also subject to HIPAA regulations. Urgent care doctors, primary care doctors, specialists, hospitals, and health insurance plans are just some of the organizations that are covered by HIPAA.

However, not everyone who is associated with health or healthcare is subject to HIPAA regulations. A Registered Dietitian may choose to offer general advice on diet, exercise, and wellness online and on social media. She may also have a subscriber community where individuals can share their stories and health challenges. But because she isn’t a healthcare provider to these individuals, she isn’t subject to HIPAA. If an individual shares information in the subscriber community that she then shares on Instagram without their consent, she isn’t in violation of HIPAA – even though her action may be unethical.

If that same dietitian was employed by a hospital to work with patients and then shared a hospital patient’s private information on social media without their consent, that would be a HIPAA violation. An individual must be a healthcare provider, health plan, or clearinghouse to be subject to HIPAA regulations.

How does HIPAA protect patient privacy?

HIPAA sets national standards for the security and privacy of your health information. HIPAA’s privacy rule regulates the use of protected health information (PHI), which is any information about an individual’s health status, provision of health care, or payment. Any part of your medical record, payment history, or any information you share with your doctor or a health plan is protected and confidential.

HIPAA’s “minimum necessary rule” does allow for the sharing of health information for those who have a legitimate need to know. For example, if your primary care doctor refers you to a gastroenterologist to discuss your recent abdominal pain, they can share your medical records with your specialist so that they can better treat you.

However, your gastroenterologist would not need to see your dental records, since these are irrelevant to your abdominal pain. If your gastroenterologist shares a practice with other providers who are not involved in your treatment, HIPAA also prevents their access to your records.

HIPAA also establishes standards for electronic security and encryption so that information that’s transmitted electronically stays safe and secure. Moreover, written and verbal health information is also protected. For example, your primary care doctor can’t call your boss to tell them about your high blood pressure without your consent.

What is a HIPAA violation? What are the penalties for violations?

HIPAA violations can take several forms. Some examples of HIPAA violations include:

• Unauthorized access. Unauthorized access involves an individual accessing information that they do not need to know. If a celebrity was admitted to a hospital, a doctor who worked at that hospital but was not caring for the celebrity could not log in to hospital records to learn more about the celebrity’s condition. Even if the doctor never discloses that information and is only satisfying his curiosity, it’s a HIPAA violation.
• Improper disposal. HIPAA has specific standards for the disposal of private health information. If a health plan administrator charged with disposing of old records fails to shred them and puts them in the dumpster, they are in violation of HIPAA regulations. Someone could obtain this trash to gain access to the documents, which include patient names and other sensitive health information.
• Unsecured transmissions. HIPAA sets standards for secure electronic transmissions. A nurse treating a patient with a rash may take a picture to share with a doctor in the practice to obtain a consult or second opinion. However, if the nurse emails this image to the doctor using a personal, unencrypted email account rather than her secure clinic email, it’s a HIPAA violation, since sending patient information without encryption jeopardizes patient privacy.

Because HIPAA is a comprehensive, complex act, these are only a few examples of potential violations.

Penalties for HIPAA violations can involve monetary fines or even criminal penalties, but the severity of these penalties will vary according to each violation. An unintentional breach of HIPAA policies would be treated differently than a case of willful neglect.

What am I signing when I sign a HIPAA release?

The first time you visit a doctor or provider, you’re probably going to sign two separate documents: a Notice of Privacy Practices and a HIPAA Authorization form. The Notice of Privacy Practices is designed to inform patients of their rights to privacy as well as how their private health information can and cannot be used.

The HIPAA authorization form is designed to allow patients to permit disclosure outside of typical HIPAA regulations. If you’d like your doctor to be able to leave a message with your lab results or to talk to your spouse about rescheduling an appointment, you’ll need to indicate your level of consent on this authorization form.

You won’t have to sign these forms every time you go to the doctor, but many practices will obtain signatures annually to ensure that patients remain informed. You can always ask your doctor or office staff if you’re unsure why you’re being asked to sign a form.

What are some common myths about HIPAA?

Because HIPAA is such a comprehensive act, many people misunderstand its reach.

Myth #1: HIPAA prevents your provider from sharing information with your family or loved ones.

Providers can still share information with your family members or those who are involved in your care unless you’ve objected or the provider believes sharing this information may put you at risk. If you’ve had surgery for a hip replacement and are in recovery, your provider can update your spouse on your condition. However, your provider won’t share health information with your roommate unless you have given explicit consent.

Myth #2: Doctors can’t leave voicemails on your phone due to HIPAA regulations.

Your provider can leave voicemail messages, but these messages should only be left with patient consent. Patients can also consent to the level of detail that’s allowed in a voicemail message. For example, a patient may be willing to consent for providers to leave messages about appointment times but not their lab results.

Myth #3: HIPAA prevents patients from accessing their own medical records.

Patients always have the right to access their own medical records at any time. In fact, many providers have a Patient Portal or Electronic Medical Record that allows you to log in and view or download your records. But your records are protected, and no one else can request those records without your explicit consent.

At MedHelp, we’re committed to upholding HIPAA and protecting the privacy of all of our urgent care and primary care patients. If you have questions about our privacy practices, please contact the MedHelp clinic location near you.