Why Were HIPAA Privacy Laws Introduced?
HIPAA privacy laws are concerned with protecting the privacy of patients and health plan members and ensuring only authorized individuals are permitted to access protected health information (PHI). HIPAA privacy laws ensure patients privacy is protected, while still allowing healthcare organizations to use patient data for treatment and payment purposes and healthcare operations.
What Information is Covered by HIPAA Privacy Laws?
HIPAA privacy laws cover a wide range of information, including personally identifiable information or health data created, stored or received by a HIPAA-covered entity. Information such as names, addresses, contact telephone numbers, email addresses, driver’s licenses, Social Security numbers, financial information, health insurance details, financial information, biometric data, images, photographs, videos, and ID numbers are all covered.
Health information relating to past, present or future conditions, details of the provision of medical services, and information relating to payments are similarly covered. Full details of the data covered by HIPAA Rules can be found under 45 CFR 160.103.
HIPAA Privacy Rules also cover all forms of PHI, including physical records such as charts and X-rays along with their electronic counterparts.
Who Can Access Protected Health Information?
Covered entities, including healthcare providers, health plans, and healthcare clearinghouses can access PHI. Provided a business associate agreement has been obtained, covered entities are permitted to share PHI with business associates for the purposes of treatment, payment or healthcare operations. All other individuals and entities, including research institutions, are prohibited from being provided with PHI unless prior authorization has been obtained from the patient in writing.
When PHI is disclosed, it must be limited to the minimum necessary information required for the purpose for which it was disclosed. Prior to information being disclosed, a covered entity must determine what information is required. Just because PHI has been provided to a business associate in the past for a specific purpose, it does not mean that the same information should be provided again. A new determination must be made each time access to PHI is required. The data provided should be determined on a case by case basis.
HIPAA Privacy Laws and Patients’ Right to Access their Health Data
HIPAA Privacy Rules are not only concerned with protecting patient privacy. The HIPAA Privacy Rule permits patients to gain access to their health data and obtain copies of their PHI on request. HIPAA covered entities must provide patients with copies of their health data within 30 days of the request being made. Patients can request their PHI be supplied in paper or electronic form.
If patients are provided with their data, they are empowered to make choices about their own healthcare and become much more involved in their own healthcare. This has been shown to have a positive effect on patient outcomes. Patients also have the opportunity to check their health records for errors and make changes accordingly. It also allows them to provide their medical histories to other healthcare providers or share data with research organizations.
Penalties for Violating HIPAA Rules
HIPAA privacy laws apply to all covered entities and their business associates who are provided with access to PHI. Failure to comply with HIPAA privacy laws is punishable with stiff financial penalties. Covered entities or business associates of covered entities that violate HIPAA Rules can be fined up to $1,500,000 per violation category. That maximum annual fine can be multiplied by the number of years that the violation persisted. Willful neglect of HIPAA Rules can attract a fine of up to $50,000 per day.
The Department of Health and Human Services’ Office for Civil Rights has increased its enforcement of HIPAA Rules in recent years and settlements with covered entities found to have violated HIPAA Rules are being reached much more frequently. Non-compliance with HIPAA Rules will not be tolerated.
Secure Messaging Platforms Can Help Protect Patient Privacy
Many accidental disclosures of PHI have occurred as a result of healthcare employees losing portable devices containing PHI.
Many healthcare organizations have turned to secure messaging platforms to provide a secure method of communicating PHI between members of care teams. The platforms also help them reduce the risk of data breaches.
Secure messaging platforms encrypt all communications and ensure that in the event of loss or theft of a device, PHI is indecipherable and unusable. Since the platform is protected with access controls, only an authorized individual can access messages and PHI. All data stored by the platform can also be wiped remotely if a device is lost or stolen.
Secure messaging platforms provide the same convenience as text messaging, faster communication than email, and all of the appropriate technical safeguards to satisfy the requirements of the HIPAA Privacy and Security Rules. The platforms can also integrate with EHR systems, which has been demonstrated to reduce medication errors, patient safety incidents and accelerate healthcare processes.