HIPAA is the Health Insurance Portability and Accountability Act.  The law was enacted by Congress in 1996. HIPAA was proposed to address several issues, two of which will be discussed here.

First, many American workers faced serious health insurance issues when they changed jobs or lost their jobs.  Suppose an employee at company X had a child with cystic fibrosis or some other serious illness, or suppose his wife developed breast cancer while he worked for company X.  The employee is laid off.  When he is hired 4 months later by company Z, he finds his new health insurance plan excluded coverage for his wife’s cancer and his child’s cystic fibrosis.  Why?  They were considered pre-existing conditions, and the health insurer was entitled to exclude coverage for medical problems existing before the new coverage began.  Once HIPAA was enacted, the rules changed.  An employee had the right to continue his coverage when he was laid off or to buy a conversion policy.  When he got a new job with company Z, the new health insurance carrier had limited ability, and sometimes no ability, to impose pre-existing condition exclusions on his family’s coverage.

The other key portion of HIPAA is the HIPAA Privacy Rule which was intended to protect your private health information.  It is this second portion of HIPAA that we are most familiar with today.  When you go to your doctor’s office and they hand you a clip board with a lot of legal mumbo jumbo, headed with the title “HIPAA Privacy Notice,” you are participating in the privacy protection portion of the statute.  Most people sign and date the bottom of the form with little or no understanding of what they are signing.
However, this is more than mere paperwork; the HIPAA statute offers you important rights and protections.

When the statute was enacted in 1996, Congress was expecting to follow-up by enacting specific privacy rules within two years.  The statute called for the Director of the Department of Health and Human Services (HHS) to develop the rules if Congress failed to take action.  Congress defaulted to the Director and, HHS issued the HIPAA Privacy Rules on December 28, 2000, and modified them in response to public comment in 2002.

What Does the HIPAA Privacy Rule Protect and Who Must Comply?

HIPAA protects “individually identified health information.”  That includes information about your past, present or expected future medical condition.    It includes information about both your physical health and your mental health. Protected health information includes doctor and hospital records, lab results, x-ray reports, and therapy notes. Medical claim forms, explanation of benefit forms, and medical bills also come under the statute’s protection. 

HIPAA does not preclude disclosure of protected medical information in 2 situations.  (1) Providers are required to disclose your medical information to you or to your personal representative. (2) They must disclose to HHS when it does an investigation into the provider’s compliance with the statute or when HHS is taking enforcement actions for fraud or noncompliance.

HIPAA privacy rules apply to all health care providers. Hospitals, clinics, doctors, dentists, physical therapists, chiropractors, lab facilities, x-ray facilities, and psychologists are some of the health care providers subject to HIPAA privacy rules.  In addition to health care providers, many other health related industries must comply with the privacy rules.  Health insurance companies, third party insurance administrators, health care billing companies, and life insurance companies are some of the other entities covered by the rules. 

Permitted Disclosures Under HIPAA

The idea behind the statute is to protect your private, health information while allowing reasonable disclosure of information among health care providers and insurers.  When your doctor sends you for a MRI, the radiologist must be able to send him the results.  Without some permitted disclosure, the health care industry would be unable to function.  HIPAA permits the following disclosures:

a.    To you the patient and among your providers,
b.    to obtain payment from your health insurance carrier,
c.    to allow you to object to costs or to errors in the record,
d.    for facility directories (allows hospital to keep your information on record),
e.    notifications to family in selected instances.  (allows hospital to notify
family that you have been injured or to request family members to pick you up at discharge),
f.    public interest and benefit activities,
g.    law enforcement and legal proceedings,
h.    compliance with workers’ compensation laws,
i.    research.

Several of these items need a bit more explanation.  Public Interest and Benefit Activities is one.  This permitted disclosure allows physicians to report communicable diseases or toxic exposures that present a danger to the public.  Let’s suppose a hospital, emergency room physician discovers that one of his patients has typhoid.  This section allows him to notify the CDC and the health department of a potential epidemic.  It also allows health care providers to report child abuse and to notify the FDA about suspected faulty medical products or drugs.  Another example is reporting workplace injuries and toxic exposures to OSHA.

Item G: Law Enforcement and Legal Proceedings also requires explanation.  This permitted HIPAA disclosure allows law enforcement to obtain information on victims, to conduct autopsies on murder victims, to identify a fugitive or a missing person.  It also allows funeral directors to report suspicious findings to authorities. 

Minimum Necessary Rule

HIPAA requires that health care providers, insurance entities and others subject to the compliance rules have policies and procedures to help them get the job done with the minimum disclosure of personal and medical information.  Their employees must be screened and trained on privacy laws.  There must be data safeguards in place to prevent hacking or other forms of inadvertent disclosure of private information.

Your Right to Your Medical Records

Under HIPAA, you have the right to review your medical records and to obtain a copy.  The only exceptions to your right to read your records are these: (a) a psychiatric evaluation prepared for litigation; (b) research lab results (if you are part of a study); or (c) the doctor believes reading your records will cause you harm.  Exception (c) usually refers to psychiatric records of a person who is seriously mentally ill.

Exceptions aside, in the ordinary course of events, you are entitled to your medical records.  If you read them and find errors in the information, you are entitled to request that your records be amended.  We see this most often in the doctor’s medical history.  Perhaps, the record states that you used cocaine during your teens.  You know you never used cocaine and would never have said that.  You have the right to request that statement be deleted from your records.  The doctor can refuse, but if he does, you have the right to add a statement of disagreement to the record.  That way, anyone else who reads those records will be aware that you deny making the cocaine statement and that you believe it was entered in error. 

HIPAA is an important Federal Law that protects your rights and your privacy in many ways.  The next time the doctor’s receptionist hands you that clipboard with the HIPAA privacy notice, don’t grumble.  Sign it knowing it is for your protection.

Resources

www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html