You may like to think you're the only one with access to your personal medical records, but you're not; in fact, many different parties are allowed to see your records, your financial account information, and insurance information.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 set national standards in the U.S. for how personal health information is handled and shared. Under HIPAA, you have certain rights when it comes to your personal health information; you have the right to a copy of your health information, the right to correct any errors or make changes to your information, the right to restrict certain uses of your information, and the right to know who other than you has seen your information. Remember, it isn't only you and your doctor who can see (and have seen) what goes in that file. An account manager using a computer to electronically verify your insurance eligibility, for example, has access to your health information, but under HIPAA rules, the health information that's personally identifiable -- we'll get to what that means in a moment -- and is hidden from anyone who just wants to take a peek in your file.
Parties with legitimate access to your medical records are called covered entities and are supposed to comply with HIPAA rules; covered entities include health care providers (doctors, nurses, dentists, hospitals, clinics, pharmacies, etc.) who practice electronic health care transactions, health plans (including such parties such as health insurance companies, HMOs, Medicare and Medicaid), health care clearinghouses and third-party business associates (which includes such parties as claims processors, billing companies or IT specialists) [source: HRSA].
Compliance with HIPAA means covered entities have certain responsibilities when it comes to keeping your data private and secure.
Storing and Sharing Data: Encrypted and Secure
Under the HIPAA Privacy Rule, which became enforceable in 2003 under the U.S. Office for Civil Rights, (some of) your identifiable health information is required to be protected from being shared or accessed without your permission. Your identifiable health data, called Protected Health Information (PHI), includes anything your doctor or other health care provider puts in your medical record, as well as any conversations your provider has with other doctors, nurses and other medical professionals. It also includes any of your billing information, as well as any identifiable information your health plan has about you in its computer systems [source: HHS].
Under the HIPAA Security Rule, how your personal information is electronically stored, shared and accessed is protected. Eligible electronic transactions include: claims and encounter information, payment and remittance advice, claims status, eligibility, enrollment status, referrals and authorizations, coordination of benefits and premium payment [source: Centers for Medicare & Medicaid Services]. Covered entities are legally obligated to follow the rules of HIPAA-covered transactions. They, and those they contract to do business with, are all required to sign a legal contract agreeing to protect your information before sharing or accessing your data -- whether it's an online transaction, accessing your records on a tablet or another electronic administrative transaction. Covered entities and their business associates are also responsible for having not only administrative safeguards such as documented policies and employee training for protecting electronic health data, but technical and physical safeguards as well, such as data backup, data encryption and security systems. They're also responsible for disclosing why there is a need to access your health information and what the intended purpose is -- every time.
Outside of covered entities, HIPAA law doesn't apply. That means your employer doesn't need to worry about keeping any of your health data private, nor do workers compensation providers, life insurance providers, school districts, state agencies (such as child protective services), law enforcement agencies and other municipal offices. The account manager who uses a computer to electronically verify your insurance eligibility is engaging in a HIPAA-protected action, and must comply with HIPPA confidentiality rules -- but HIPAA only applies when the transaction is electronic; if the account manager used the phone to verbally confirm your insurance eligibility, HIPAA rules wouldn't apply to the exchange of PHI.
Limited Data Sets
Under some circumstances, HIPAA allows for some of your protected health information to be shared without your permission. Your PHI may be shared without your authorization in an emergency situation -- including emergency medical treatment, but also in the event of bioterrorism or any public health threat. Exceptions to HIPAA also include instances such as public health surveillance (such as collecting information for local flu reports), investigations (such as an emergency medical center reporting a gunshot wound) and research -- even in some health care situations such as interventions [source: CDC]. This information is collected into what is called a "limited data set" (LDS); limited data sets include limited yet personal information about you: your age (in years, months, days or hours), relevant dates (including your date of birth and date of death, and also admission and discharge dates, if applicable) and your basic geographic data (zip code or city and state of residence).
The list of information that isn't allowed in a limited data set is much greater. Under the Privacy Rules of HIPAA the following 16 identifiable pieces of information can't be included in an LDS: names, Social Security numbers, physical addresses (street addresses) and phone numbers (including fax numbers), e-mail addresses, URLs and IP address numbers, vehicle identifiers (including serial numbers and license plates), as well as full-face photos (or any comparable images) and biometric identifiers (such as your fingerprints). Additionally, no account numbers, medical records numbers, health plan beneficiary numbers, certificate license numbers nor any device identifiers (including serial numbers) can be included in a limited data set [source: Johns Hopkins Medicine].
Despite these HIPAA rules in place regarding our medical records, 83 percent of Americans still have privacy and security-related concerns when it comes to their medical records, and nearly 70 percent don't want to have their health information digitized, period [source: Xerox]. So what happens when those fears are validated -- what happens when there's a breach?
If or when a PHI breach does happen, which is often the result of computer theft, according to the Breach Notification Rule, the affected patient (or patients) must be notified, and the incident reported to the Secretary of the U.S. Department of Health & Human Services (HHS). Similarly, if an individual wants to report a privacy violation, they can report the breach to either the covered entity (or business associate) responsible or to the HHS -- or both. Depending on the circumstance, HIPAA violations may result in civil penalties such as fines (called civil money penalties) or in criminal penalties that include not only fines but imprisonment.
Author's Note: How does HIPAA compliance affect data sharing?
Keeping your health information safe is like keeping your Social Security number safe: In the wrong hands it can lead to identity theft -- or when it comes down to curing what ails you, improper treatment because someone else has hijacked your file. So the next time you're visiting your doctor (or hospital or pharmacy), don't just set aside the HIPAA brochure given to you during your visit; that paper contains important information about how your medical records are kept safe.
More Great Links
- American Medical Association (AMA). "HIPAA: Health Insurance Portability and Accountability Act." Sept. 23, 2013. (Oct. 13, 2013) http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act.page?
- American Medical Association (AMA). "HIPAA privacy and security toolkit: Helping your practice meet new compliance requirements." 2013. (Oct. 13, 2013) http://www.ama-assn.org//resources/doc/washington/hipaa-toolkit.pdf
- Association of State and Territorial Health Officials (ASTHO) -- Legal Preparedness Series: Public Health & Schools Toolkit. "Health Insurance Portability and Accountability Act Privacy Rule--Fact Sheet." 2012. (Oct. 13, 2013) http://www.astho.org/uploadedFiles/Programs/Preparedness/Public_Health_Emergency_Law/Public_Health_and_Schools_Toolkit/06-PHS%20HIPAA%20FS%20Final%203-12.pdf
- Johns Hopkins Medicine. "Definition of Limited Data Set." Jan. 2005. (Oct. 13, 2013) http://www.hopkinsmedicine.org/institutional_review_board/hipaa_research/limited_data_set.html
- Levin, Adam. "Making Your Medical Records Safer." ABC/Good Morning America. Oct. 13, 2013. (Oct. 13, 2013) http://gma.yahoo.com/making-medical-records-safer-113101752--abc-news-topstories.html
- Partners in Human Research Committee. "Limited Data Sets in Research." (Oct. 13, 2013) http://healthcare.partners.org/phsirb/limdata.htm
- Substance Abuse and Mental Health Services Administration (SAMHSA). "Federal Initiatives Related to Data Sharing." (Oct. 13, 2013) http://www.samhsa.gov/co-occurring/topics/data/data-sharing.aspx
- U.S. Department of Health and Human Services. "Health Information Privacy: Guidance Materials for Consumers." (Oct. 13, 2013) http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/index.html
- U.S. Department of Health and Human Services: Centers for Medicare & Medicaid Services. "Educational Materials: HIPAA Information Series for Providers." April 12, 2012. (Oct. 13, 2013) http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/EducationMaterials/Educational-Materials.html
- U.S. Department of Health and Human Services: Centers for Medicare & Medicaid Services. "Transaction & Code Sets Standards." April 17, 2013. (Oct. 13, 2013) http://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/TransactionCodeSetsStands/index.html
- U.S. Department of Health and Human Services: Health Resources and Services Administration -- Health Information technology and Quality Improvement. "What is a 'covered entity' under HIPAA?." (Oct. 13, 2013) http://www.hrsa.gov
- U.S. Department of Health and Human Services: Office for Civil Rights. "Your Health Information Privacy Rights." (Oct. 13, 2013) http://www.hhs.gov/ocr/privacy/hipaa/understanding/consumers/consumer_rights.pdf
- Wengrovitz, Anne Guthrie. "Overcoming Barriers to Data-Sharing Related to the HIPAA Privacy Rule." Centers for Disease Control and Prevention. June 2004. (Oct. 13, 2013) http://www.cdc.gov/nceh/lead/policy/hipaa_clppp_june17_final.htm
- Xerox. "Fourth Annual Xerox Survey Shows Slow Progress in Patient Knowledge of Electronic Health Records." Sept. 30, 2013. (Oct. 13, 2013) http://news.xerox.com/news/Xerox-releases-4th-Annual-EHR-Survey