Protecting your sensitive medical information is important. While it can be beneficial for your various medical care providers to quickly share your records over the internet, your medical information can also be used for marketing purposes and—just like information you might carelessly post on social media—it might even be accessed by hackers.
To provide some privacy protection for medical information, Congress passed HIPAA, which stands for the Health Insurance Portability and Accountability Act. But while HIPAA provides some privacy protection, it also has its limits.
What Is HIPAA and What Is Its Purpose?
HIPAA is a federal law designed to protect a patient's sensitive information from being released without their consent.
So, what does HIPPA mean for your privacy? The short answer is that HIPAA helps protect your privacy, but it probably does not provide as much protection as you might think or as much as you would like.
To understand what HIPAA actually does, it's important to know what its two primary purposes are:
- To make it easier for people to obtain and maintain medical insurance, which includes being able to change health insurance plans as your employment situation changes. This is the "portability" part of the Act.
- To protect the privacy of patient information. This is the "accountability" part of the Act.
HIPAA Privacy Rules
HIPAA actually consists of two parts: the Act as enacted by Congress and numerous rules created by the U.S. Department of Health and Human Services (HHS) to implement the Act. Two of these rules that set forth privacy requirements are:
- Standards for Privacy of Individually Identifiable Health Information. Known as the "Privacy Rule," it covers what is called "protected health information" (or PHI).
- Security Standards for the Protection of Electronic Protected Health Information. Known as the "Security Rule," it has additional requirements for safeguarding PHI that is created, received, stored, or transmitted electronically.
Information that is considered PHI includes:
- Hospital and physician records regarding your medical conditions and treatments.
- Lab test results.
- Billings and insurance claims.
- Appointment histories.
- Financial and personal information, such as your name, date of birth, age, address, phone number, email address, Social Security number, and insurance information.
HIPAA Covered Entities
HIPAA does not apply to everyone. It only applies to what the Act calls a "covered entity," which basically includes:
- Health care providers.
- Health plans. This includes Medicare and Medicaid.
- Business associates of health care providers and plans. These provide billing, claims processing, or other services.
This leaves out many others who may obtain medical information about you and your family. Some examples of organizations that are not covered by HIPAA are life insurance companies, employers, school districts, law enforcement agencies, and many state and municipal agencies. Therefore, the medical information you disclose in your life insurance application, or medical information you give to your child's school, is not protected under HIPAA.
If you let your friend know that you have a particular medical condition, and that friend passes that information to someone else, there is no HIPAA violation because HIPAA does not apply to your friend.
Personal Health Information Disclosures
HIPAA rules set forth circumstances under which PHI can be disclosed by a covered entity. This can be broken down into two categories: disclosures that require your written permission and disclosures that can be made without your permission.
Disclosures Requiring Permission
Generally, patient permission for disclosure of PHI is required, unless the HIPAA Privacy Rule specifically permits disclosure without permission. This includes information:
- To be used for marketing purposes.
- Being disclosed in return for financial compensation.
- Regarding psychotherapy and substance abuse treatment.
- To be included in a hospital patient directory.
- Disclosed to a friend or family member with authorization granted by a health care power of attorney or a HIPAA authorization form. This is often done as part of a comprehensive estate plan.
Disclosures Without Permission
Information may be disclosed without your permission if it's necessary for medical treatment, billing, and payment processing.
There are also some rather broad and generally-worded exceptions to the Privacy Rule, which allow government access, such as:
- When required by law.
- Public health activities, such as reporting disease outbreaks.
- Judicial and administrative proceedings, such as court orders and subpoenas.
- Law enforcement.
- To prevent or lessen a serious threat to health or safety.
- Essential government functions.
If a covered entity violates HIPAA rules, it can incur civil fines and criminal penalties. Complaints regarding HIPAA violations are handled by the HHS Office for Civil Rights (OCR).
However, there has been criticism of OCR and the U.S. Department of Justice for failing to aggressively pursue violators.
How You Can Help Protect Your Privacy
Health care providers, medical insurers, and other covered entities typically make efforts to assure they are in compliance with HIPAA privacy rules. This includes training their employees on the rules. However, there are a few things you can do to enhance the privacy, and accuracy, of your medical information:
- You have the right under HIPAA to see and obtain copies of your medical records. If you find inaccurate information, you have the right to have corrections added to your records.
- Read privacy notices. These tell you how the covered entity will use and share your information. They will state when information may be disclosed without your permission and what your rights are to limit this sharing of information. Often, they also give you choices to limit or eliminate some of this sharing.
- Opt out of fundraising and marketing communications.
It's important to understand the basic purpose of HIPAA, its privacy rules, and the limitations of those privacy rules. The HHS website can provide more information about your rights under HIPAA, as can the CDC website.