Almost everyone in the United States of America recognizes the name HIPAA — but only a small fraction truly understands what it means. HIPAA stands for the Health Insurance Portability and Accountability Act, and it is a federal law that first passed in 1996 and has been updated regularly since.
Though HIPAA does many things for patients, its most famous impact is in its mandated protection of patient health information, which revolutionized how all healthcare entities, from doctor’s offices and hospitals to insurance providers and even employers create, store, request and transfer health information.
No matter who you are within the healthcare system — a provider or patient — you need to know more about how HIPAA works. This guide should get you through the HIPAA basics, so you can use patient data safely, securely and legally from now on.
The most important component of HIPAA by far, and the one that makes this otherwise obscure federal law relevant to everyone, is the Privacy Rule. The Privacy Rule defines what constitutes personal health information and dictates how it may be used and disclosed by any entities subject to the law. These so-called “covered entities” include:
All healthcare providers, regardless of size or specialty.
All providers of health plans, to include insurers, health maintenance organizations, government- and church-sponsored plans, employer-sponsored groups and more.
All healthcare clearinghouses, which tend to process health data for health plans.
All business associates, which pay provide business services to other covered entities.
Covered entities are permitted to use disclose health information without receiving authorization from individuals, but they can only use health information in specific ways Some of those ways include:
Disclosure to an individual. The individual should always be able to access their own health information.
Treatment. Health providers need to be able to access health information to develop and perform treatment plans.
Payment. Healthcare payment systems require the disclosure of healthcare services.
Research. Limited amounts of personal health information can be used to conduct research to improve public health or healthcare operations.
Public interest. There are 12 so-called national priority purposes that involve the use of personal health information, and these include when disclosure of health information is required by law, when it involves abuse, neglect or other types of domestic violence and concerns about public health, such as exposure to communicable diseases or product recalls.
It is worth noting that individuals themselves are not considered covered entities. If you, as an individual, wish to disclose your health information — to anyone — you have full authority to do so. In fact, this is how most health information becomes publicly available; an individual posts their health information on social media or willingly shares it with their employer. These are legal uses of personal health information, though they may result in the exposure of a person’s personal health information to unintended or unwanted parties.
Another critical component of HIPAA is the Security Rule. Though not as well-known as the Privacy Rule, the Security Rule is nonetheless essential to protecting digital personal health information. In short, the Security Rule requires that all covered entities engage in certain levels of cybersecurity activity and behavior to prevent unauthorized access of health information. For example, covered entities must work to safeguard their digital health data against known threats and take steps to prevent anticipated impermissible uses of health information.
Though this general guide might make it seem that HIPAA is easy to understand and uphold, the truth is that there is plenty of nuance within the text of the law. Most covered entities are careful to utilize the expertise of administration professionals equipped with a health information management degree to ensure that they remain totally compliant with HIPAA.
Your health information can be remarkably sensitive, and there are good reasons for you to want to keep your health information as private as possible. Fortunately, HIPAA has clear rules for the entities most likely to come into contact with your health information to reduce the likelihood that your sensitive data will be spread around without your express permission.