The Health Insurance Portability and Accountability Act was first enacted in 1996, but why is HIPAA important in the current healthcare landscape? The Act has cemented the value of patient rights, particularly in relation to the privacy of their health data. In this article, we will discuss how HIPAA has maintained its importance to date.
One of the primary motivations for enacting HIPAA was to grant more rights to employees. Before HIPAA, health insurance plans were often withheld from those with pre-existing conditions. Additionally, those who had plans linked with their jobs found it difficult to transfer benefits between employers, creating a “job lock” that prevented employees moving between companies. HIPAA expanded employee rights, removing both of these barriers.
Of course, this aspect of HIPAA is very important, but it is perhaps not what HIPAA is now most associated with. Most people, be they healthcare workers or patients, will know of HIPAA as an act that governs the use and disclosure of patient data. Any HIPAA covered entity (CE, including health plans, healthcare clearinghouses, and healthcare providers) that handles personally-identifiable patient data must be HIPAA compliant. This data is called “protected health information” (PHI) and is distinguished from other health data by the presence of one of 18 HIPAA identifiers.
It is therefore important for CEs to ensure that they understand their obligations under HIPAA, as violations of the Act can incur severe financial (or even criminal) penalties. Yet HIPAA has brought along some benefits to businesses. HIPAA guidelines have enforced minimum standards across the healthcare industry, making it easier for patient data to be transferred between CEs safely and efficiently. Healthcare administration was further eased by the introduction of the HITECH Act in 2009, which incentivized companies to use electronic medical records.
HIPAA is perhaps most beneficial – and therefore important – for the patients whose data it protects. Without HIPAA, healthcare providers, healthcare clearinghouses, and health plans would have almost no incentives to ensure that PHI remains confidential. However, despite its importance, many patients will be unfamiliar with the rights granted to them by HIPAA.
HIPAA is composed of several different rules that govern different aspects of privacy law. The HIPAA Security Rule, for example, establishes the minimum technical, administrative, and physical safeguards required to keep data private. This can include anything from two-factor authentication to ensuring that filing cabinets have adequate locking mechanisms. The HIPAA Breach Notification Rule stipulates when, and under what time limits, patients should be notified if their data has been accessed by unauthorized individuals.
The HIPAA Privacy Rule is potentially most relevant to patients. The Rule dictates who can access PHI, and under what circumstances it can be used and disclosed. This ensures that the data stays confidential and is only used by the intended individuals or services. The HIPAA Privacy Rule grants additional rights to patients; it gives them the right to access, amend, or request copies of their health data. The patient may wish to amend PHI if they feel it is inaccurate, or have copies of their data to pass on to another healthcare provider. This allows the patient greater autonomy over their data, and means that – if they so wanted – they could access a second opinion.
HIPAA, therefore, has a number of implications for both healthcare organizations and patients. As well as achieving its original goal of reforming the health insurance industry, it has been instrumental in transforming how sensitive patient data is handled. That, amongst other things, is why HIPAA is important.