The Health Insurance Portability and Accountability Act was established in 1996 to help employees move health insurance plans between employers. Since then, it has been adapted to cover all aspects of health-related privacy, specifically maintaining the integrity of a patient’s protected health information (PHI).
Why is it important to protect privacy?
There are many aspects of patient privacy that are important. Unfortunately, some healthcare conditions – particularly ones relating to sexual health – are still stigmatised by society. Thus, if a person’s health information is shared with unauthorized personnel, it can have serious social consequences for them. In other instances, it is about preserving human dignity – there has been a shocking spate of recent cases where nurses’ aides were caught sharing photos of incontinent or undressed patients on social media. By legislating against such actions, those responsible will face consequences. Those consequences can, in turn, deter others from carrying out the same actions.
Why target health data?
Aside from affronting their human dignity, there are other consequences on the patient for the unlawful access of PHI. Healthcare data has a huge value on the black market (with a single file of PHI potentially reaching $20,000). This means that is both a target of cyberattacks and employees hoping to profit from the information. HIPAA requires that all healthcare data is encrypted, reducing the likelihood that it can be accessed and read in the event of a cyberattack.
Healthcare data is so valuable because it usually contains a lot of individual pieces of information – as well as names and addresses, it usually has Social Security Numbers, claims information and details on financial accounts. These pieces of information can be hard to change or cancel, so even if a HIPAA breach has been detected the information is still “valid” for a longer period than, say, credit card details.
If such data has been accessed or sold, it can then be used to commit fraud. In the healthcare industry, this can mean claiming treatment on someone else’s insurance or even illegally getting restricted drugs via their prescriptions. All can have devastating consequences on the victim. Until it has been proven to be fraud, their insurance premiums will increase and it will be harder for them to access prescriptions in the future.
The data from different PHI files can also be combined to create a new identity. This, again, can hugely complicate the lives of victims as they may receive bills or even court notices intended for their impersonator.
Unfortunately, as PHI has such a high value, patients are increasingly put at risk from cyberattacks or even malicious employees intending to sell their data. This can lead to healthcare fraud, making it difficult for patients to buy insurance or get treatment in the future, or other financial fraud. However, there are also social consequences of unlawful sharing of PHI. Patients may be stigmatized because of their condition, or humiliated by ignorant employees on social media. HIPAA is in place for a reason – to protect patient privacy. All healthcare workers should be made aware of its importance, both from a social and economic perspective.
Importance of HIPAA to Patients: FAQ
What are the dangers of insurance fraud to a patient?
Insurance fraud can have devastating impacts on patients. Fraudulent insurance claims can increase health insurance premiums for individuals, perhaps making insurance prohibitively expensive. If fraud is committed by a healthcare provider, it could cause the patient to undergo unnecessary and costly procedures. Preventing such fraud is a key reason why HIPAA is important for patients.
Are there other benefits to patients?
Yes – alongside implementing safeguards to their privacy, HIPAA has also introduced reforms to the health insurance industry. These reforms guarantee better access to health insurance for those with pre-existing conditions and makes it easier for employees to transfer benefits between employer-provided health plans.
How can patients access their PHI?
Under HIPAA, all patients must be able to access their PHI. Each CE must have clear procedures in place to facilitate these requests without undue delay. The patient must submit their request in writing, though web-based forms can also be made available. The CE is allowed to charge a “permissible” fee to cover the labor-based costs, postage etc. of facilitating the PHI access request, but the fee should not cover factors such as the verification of the individual requesting the access or cost of maintaining the PHI. These are HIPAA requirements and should not be paid for by the patient.
Can patients sue for HIPAA violations?
No, patients cannot sue Covered Entities or their employees for violating HIPAA. This is because there HIPAA has no “private cause of action”, so private citizens cannot bring a case against CEs if their PHI has been breached as a result of a HIPAA violation. However, they may be able to bring such cases under State law.
Does HIPAA offer any benefits to Covered Entities?
Yes – though HIPAA is focused on improving patient rights, there are some benefits to CEs. For example, HIPAA has encouraged the streamlining of administration processes, improving the efficiency of CEs. It has also encouraged the use of electronic medical records, which eases the transfer of data between employees and CEs.