Buzz
The information you provide when filling out forms at your healthcare provider’s office becomes a part of your personal health record, much of which is protected under HIPAA.
©iStock/ThinkstockYou might believe you're the sole person with access to your personal health records, but that's not the case. In reality, several entities are permitted to view your records, as well as your financial and insurance details.
The Health Insurance Portability and Accountability Act (HIPAA), established in 1996, set the national framework in the U.S. for the handling and sharing of personal health information. Under HIPAA, you possess certain rights regarding your health data: the right to obtain a copy, the right to rectify any mistakes or make modifications, the right to limit certain uses of your information, and the right to know who has accessed it besides yourself. Keep in mind, it’s not only you and your physician who have access to the information in your file. For instance, an account manager checking your insurance eligibility electronically also has access to your health details, but under HIPAA, any personally identifiable information will be concealed from anyone without proper authorization.
Entities authorized to view your medical records are called covered entities and are obligated to follow HIPAA guidelines. These include healthcare providers (such as doctors, nurses, dentists, hospitals, clinics, pharmacies), health insurance organizations (including health insurance companies, HMOs, Medicare, Medicaid), healthcare clearinghouses, and third-party business associates (e.g., claims processors, billing companies, IT professionals) [source: HRSA].
HIPAA compliance requires covered entities to uphold certain obligations when it comes to ensuring your data remains private and protected.
Secure and Encrypted Data Storage and Sharing
The HIPAA Privacy Rule, enforceable since 2003 by the U.S. Office for Civil Rights, mandates the protection of your identifiable health information from unauthorized sharing or access. This protected information, called Protected Health Information (PHI), includes everything recorded by your doctor or healthcare provider, including any discussions between your provider and other medical professionals like nurses. PHI also extends to your billing information and any identifiable data your health plan has stored about you [source: HHS].
The HIPAA Security Rule safeguards how your personal data is stored, shared, and accessed electronically. Transactions covered under this rule include: claims and encounter information, payment and remittance advice, claims status, eligibility, enrollment status, referrals and authorizations, coordination of benefits, and premium payment [source: Centers for Medicare & Medicaid Services]. Covered entities must comply with these rules. They and their business partners must sign contracts agreeing to safeguard your information before any data sharing or access takes place—whether it's through online transactions, tablet access, or other electronic means. In addition to administrative safeguards, such as documented policies and employee training, covered entities are also responsible for physical and technical safeguards, such as data backups, encryption, and security systems. They must also justify each access to your health information, explaining the purpose behind it.
HIPAA law does not extend to entities outside of covered entities. As such, your employer doesn't have to protect your health data, nor do life insurance companies, workers' compensation providers, schools, state agencies (e.g., child protective services), law enforcement, or municipal offices. However, when an account manager uses a computer to verify your insurance eligibility, they must comply with HIPAA rules, but only if the transaction is electronic. If the manager were to verify your insurance eligibility by phone, HIPAA wouldn't apply to the exchange of your PHI.
The U.S. Department of Health and Human Services Civil Rights Office maintains a "wall of shame" that highlights health information breaches affecting over 500 individuals (per incident). Due to the HITECHAct (Health Information Technology for Economic and Clinical Health), which is part of HIPAA, you can access this list of reported breaches through their Breach Tool.
Limited Data Sets
A significant number of health information privacy breaches occur as a result of stolen computers. With mobile devices becoming standard in the healthcare industry, it's understandable why many patients worry about the security of their personal health data.
©iStock/ThinkstockIn certain situations, HIPAA permits the sharing of some protected health information without your consent. For example, PHI may be disclosed in emergencies, such as medical treatment or in cases of bioterrorism or public health threats. There are also exceptions for public health surveillance (like collecting data for local flu reports), investigations (e.g., reporting a gunshot wound to an emergency medical center), and research purposes, even in healthcare settings such as interventions [source: CDC]. This information is compiled into a "limited data set" (LDS), which includes personal details such as your age (in years, months, days, or hours), significant dates (e.g., birth and death dates, admission and discharge dates), and basic geographic information (e.g., zip code or city and state of residence).
There are many items that cannot be included in a limited data set. Under HIPAA’s Privacy Rules, the following 16 pieces of identifiable information are prohibited in an LDS: names, Social Security numbers, street addresses, phone numbers (including fax), email addresses, URLs, IP addresses, vehicle identifiers (including serial numbers and license plates), full-face photos (or any similar images), biometric data (such as fingerprints), and account numbers, medical record numbers, health plan beneficiary numbers, certificate/license numbers, and device identifiers (e.g., serial numbers) [source: Johns Hopkins Medicine].
Even with HIPAA regulations designed to safeguard our medical records, 83% of Americans still worry about the privacy and security of their health data. Nearly 70% are opposed to the digitization of their medical information altogether [source: Xerox]. So, what happens when these concerns turn out to be justified—what occurs when a breach takes place?
When a PHI breach occurs, often caused by computer theft, the Breach Notification Rule requires that the affected individual(s) be informed and the incident must be reported to the Secretary of the U.S. Department of Health & Human Services (HHS). Likewise, if a person wishes to report a privacy violation, they can do so to either the responsible covered entity (or business associate) or directly to the HHS—or both. Depending on the situation, HIPAA violations can result in civil penalties such as fines (referred to as civil money penalties) or criminal penalties that may include fines as well as imprisonment.
