Security has become the watchword on everyone’s lips of late. We take our personal and family’s security very seriously as well as the privacy of our credit records and identity information. Often we overlook the security of our medical record and healthcare information.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA creates a standard for the security and protection of personal health information. Most healthcare providers from your physician to your pharmacist had until April 20, 2005, to become HIPAA compliant (some smaller organizations have until April 2006, to comply). Healthcare insurance companies, HMOs, employer group health plans, as well as government programs such as Medicare and Medicaid are also subject to HIPAA compliance rules. In general, the rules apply equally across public and private institutions.

The Security And Accessibility Of Your Healthcare Information

Until HIPAA, there were no federal regulations governing the distribution of health information and you did not have to be notified when your information was given to someone other than your healthcare provider. Often the reasons the information was released had nothing to do with your healthcare or medical treatment. Financial institutions, employers, and law offices regularly had open access to your health information and made decisions based on what your records contained. Just like your credit report, your medical record could easily contain mistakes and omissions. A prescribed medication left off a medical record could easily mean the difference between life and death if a healthcare provider was not aware of the patient’s taking the medication. HIPAA drives the accuracy and completeness of a patient’s medical record to guard against just such an occurrence.

Until recently most healthcare information was locked in a filing cabinet. Today the majority of your health information is saved in an electronic format. HIPAA addresses the electronic aspects of data integrity and security. Healthcare information must be secured by various means including passwords that change periodically, encryption for electronic data transmitted or carried offsite, and physical safeguards such as locked doors and access control to data systems. Healthcare data must only be accessed by authorized individuals who only have access to data relevant to their job function. The front desk registration staff, for instance, should not have access to diagnoses information on a given patient. That job function, or role, generally requires demographic information for registering the patient for the office visit. The billing staff, however, will need detailed diagnoses information to generate appropriate invoices for services rendered during the office visit. Each role in an organization is limited to the information necessary to that job function.

What HIPAA Addresses

HIPAA’s focus is aimed squarely at security and consent. HIPAA assures that you, the patient, have rights over your healthcare information and sets regulations on who can acquire and view your information and under what circumstances. The Privacy Rule sets clear standards for the protection of personal health information. This protection covers anything a healthcare provider enters in a medical record, conversations about you between doctors, nurses, etc., and any other information in the healthcare provider’s computer system including billing information. HIPAA requires all personnel involved in any aspect of health information to be trained, written privacy procedures adopted, and sanctions in place for violations. The penalties for knowingly violating HIPAA for commercial exploitation can be as steep as a $250,000 fine and 10 years in prison.

A patient’s health information may only be used for healthcare and related services. A healthcare provider cannot, for example, provide a list of patients to a drug company for marketing purposes. A patient’s healthcare information may be used for other purposes, such as research, but only with the patient’s written consent with a full disclosure of what information will be used. Further, when health information is released, the minimum amount of information necessary is all that is permitted. If a law office requests healthcare information on an individual, only the relevant parts of that information may be released, such as information specific to an accident or insurance claim. In the past it was common to release a patient’s entire chart to a law office when a chart was requested.

HIPAA And Patient Rights

As a patient, you have a right to request and see your medical record and have corrections made to your record. The healthcare provider may charge a “reasonable, cost-based fee” which can only cover the cost incurred to the provider for such items as paper, diskette, postage, etc.

You have a right to allow or refuse the sharing of your healthcare information for purposes such as marketing or research. Healthcare information is generally shared freely between treating providers such as specialists you are referred to by your primary care physician.

You have a right to know when your information is shared and for what purposes. The healthcare provider is required to keep an information dissemination log detailing this information.

If you believe that your rights have been compromised in any way, you have the right to file a complaint with your healthcare provider, healthcare insurer, and with the federal government.

What HIPAA Means To You

So, what does HIPPA mean to you on your next office visit? It is easy to see that HIPAA means more work for your healthcare provider. Adding layers of administration to the office visit affects every person in the chain from the front desk registration staff checking you in to the billing staff generating the invoice. Expect to spend more time in your physician’s waiting room and plan for increased paperwork while you wait. Healthcare providers are spending millions of dollars working toward and maintaining HIPAA compliance. That cost will eventually make its way to your insurance company and to your bill for services as well as an increased insurance premium over time. There is an associated cost for increased security and patients will eventually shoulder that cost.

Finally, when in doubt, ask questions. Ultimately HIPAA is meant to protect both you and your healthcare provider. Each organization is required to have a designated HIPAA Security Compliance Officer on staff to coordinate compliance and answer questions. Ask to see this person and ask your questions. Healthcare providers are in the business of providing for your healthcare needs while living under HIPAA constraints. If you have a legitimate problem, chances are it is something that organization needs to address and you are doing them and yourself a favor by bringing it to their attention.