In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA), which among other things, offers protection for personal health information, including electronic medical records. HIPAA requirements and security rules give patients more control over their health information, set limits on the use and release of their medical records, and establish a series of privacy standards for healthcare providers, which provide penalties for those who do not follow these standards.
HIPAA requirements grant patients several key privacy rights over their medical records, as outlined in this PDF, which imposes obligations on healthcare providers. The most recent HIPAA requirements for certain healthcare administrative transactions, such as claims, remittance, eligibility, and claims status requests and responses, are identified in American National Standards Institute (ANSI) 5010 Accredited Standards Committee (ASC) X12 version, which went into effect January 1, 2012, for all covered entities.
Note: The use of ANSI 5010 is also a prerequisite to meeting the ICD-10 claims formatting deadline of October 1, 2013, as the current HIPAA transaction standards cannot support the ICD-10 code formats.
What are the 5 Pillars of HIPAA?
The key components of HIPAA privacy rules are:
- Privacy Rule
- Transactions and Code Sets Rule
- Security Rule
- Unique Identifiers Rule
- Enforcement Rule
The Privacy rules govern around protecting the best interests of patients. Under this, a patient must provide a signed consent only, after which their personal information can be accessed or disclosed.
Transactions and Code Set Rule focus on improving the efficiency of the system by standardizing healthcare transactions.
Complementing the privacy rule, Security Rule outlines protecting Electronic Health Information via administrative, physical, and technical safeguards.
Under Unique Identifiers Rule, all covered entities under HIPAA, such as providers, must utilize only the National Provider Identifier (NPI) when it comes to electronic transactions, healthcare clearinghouses, and large health plans. If HIPAA regulations are violated, the Enforcement Rule comes into play.
Who Enforces HIPAA?
The HIPAA Privacy and Security Rules are primarily enforced by the Office for Civil Rights (OCR). In the event of data breaches and HIPAA violations, The HHS’ Office for Civil Rights enters the picture and conducts inquiries and investigations.
What are Examples of HIPAA Violations?
Some of the notable instances where HIPAA rules & regulations are violated include:
- Maintaining unsecured records
- Storing data with no or weak encryption
- Getting hacked or phished
- Losing or theft of devices with sensitive data
- Unauthorized access to EMR
- Improper disposal
- Accessing records from an unsecured location/network
Your Rights as a Patient
- Patients have the right to ask for a written notice about how their health information is used and shared, and to view their medical records.
- They can request a copy of their file, and also request that any mistakes be corrected.
- In most cases, healthcare providers must produce these documents within 30 days of receiving the request but may charge reasonable fees to cover any expenses associated with making copies, if the patient requests these.
- In most cases, patients have to be notified if their files are leaked or stolen, but there are some exemptions to these rules.
They may also use HIPAA-compliant outside services to produce these copies on their behalf. Certain parties are exempted from HIPAA requirements, which means some medical information may be shared without a patient’s knowledge in limited circumstances.
Note: Healthcare providers who specialize in mental health are specifically exempted from the requirement to disclose patient information.
HIPAA & EMR
With respect to HIPAA and electronic medical records (EMR), these systems typically use data encryption to protect patient medical records stored on the EMR. Data encryption technology protects EMRs while they are stored and while they are being transferred, ensuring that only the intended recipients are able to view them.
There are other HIPAA data security systems that are typically installed on healthcare computer systems and networks, including firewalls to prevent unauthorized access, and electronic auditing systems which require users to identify themselves and which log specific records that are accessed by them.
Many healthcare providers find it useful to have HIPAA data security audits of their systems performed on a regular basis. These examinations and reports, if addressed properly, can serve to ensure a high level of compliance and also to mitigate penalties for inadvertent problems.
While many of these HIPAA privacy issues are outside most healthcare providers’ areas of expertise, they need to be prepared to answer patients’ questions and address concerns about the confidentiality of their medical records and the methods used to protect patient records.
Many providers also express concern about their ability to share information in any fashion without incurring potential legal liability, unless they receive explicit patient permission. HIPAA electronic medical records privacy rules allow healthcare providers to use or disclose patient health information, such as diagnostic images, laboratory tests, diagnoses, and other medical information for treatment purposes without the patient’s authorization. This includes sharing the information to consult with other providers, including providers who themselves are not covered entities (as defined by HIPAA), to aid in the treatment of a different patient, or to refer the patient to a specialist. Formal HIPAA regulations are quite complex and are detailed here.
[dh_module id=”15767296″]
FAQ
Here are some frequently asked questions when it comes to HIPAA Regulations.
What information can be disclosed without the patient’s consent?
Some of the instances where EMR information can be disclosed without the consent of the patient include
- Coroner’s investigations
- Court litigation
- Information about communicable diseases to a public health department
- Gunshot and knife wounds
- To public health authorities to prevent or control disease, disability, or injury.
- To foreign government agencies upon the direction of a public health authority.
- To individuals who may be at risk of disease.
- To family or others caring for an individual, including notifying the public.
- Psychotherapy notes
Who is exempt from HIPAA?
According to the US Department of Health and Human Services, those exempt from HIPAA include:
- Life insurers
- Employers
- Workers’ compensation carriers
- Psychotherapy