Pre-Medical Honor Society

Written by Christine Wan | Edited by Zainab Bhatti and Nicole Xu

What is HIPAA?

HIPAA is an acronym that stands for the 2003 Health Insurance Portability and Accountability Act. It is a United States law, developed by the Department of Health and Human Services, that provides privacy standards to protect patients’ medical records and other information that health plans, doctors, hospitals and other health care providers are allowed to access. These privacy standards provide patients with access to their medical records and allow patients greater control over the utilization and disclosure of their personal health information. HIPAA standards represent a uniform, federal set of privacy protections for patients nationwide and do not affect state laws that delineate additional protections (Shiel Jr.).

What are all the privacy standards covered under HIPAA?

The first provision is the privacy rule: this rule protects patients’ right to maintain the privacy of their health information, whether it be oral, written, or electronic health information. As an example, health providers must request a patient’s written authorization before sharing any health information with third party entities (Sobers). The main objective of this rule is to maintain a balance that permits the utilization of health information while protecting the patients’ privacy (Centers for Disease Control and Prevention).

The second provision is the security rule: this rule delineates rules for organizations to follow as a means to safeguard patients’ information. This rule details the technical, administrative safeguards required to protect electronic data only. As an example, there is authentication required to access healthcare providers’ networks and data systems (Sobers). This rule is put in place in order to ensure the confidentiality, integrity, and availability of all electronically-protected health information, detect and safeguard against anticipated threats to the security of the information, protect against anticipated impermissible utilization or disclosures, and certify compliance by the healthcare workforce (Centers for Disease Control and Prevention).

The third provision is the breach notification rule: this rule indicates that in the case of a data leak or security breach, patients must be notified within sixty days. If over five-hundred records are leaked or breached, healthcare providers are required to notify the Department of Health and Human Services (HHS). The HHS will then post the incident publicly on its website (Sobers).

The fourth provision is the enforcement rule: this rule illustrates the consequences of non-compliance to these privacy standards. In the case of a security breach, the healthcare provider in question will be fined (Sobers). Generally, HIPAA violations may result in civil monetary or criminal penalties (Centers for Disease Control and Prevention).

The fifth provision is the administrative simplification rule: this rule conveys that medical providers and health plans should standardize their health care transactions (Sobers).

Which entities are covered under HIPAA?

The following individuals and organizations are subject to the Privacy Rule and considered to be covered entities:

Healthcare providers
Health plans
- Exception: A group health plan with fewer than 50 participants that is administered solely by the employer that established and maintains that the plan is not a covered entity (Centers for Disease Control and Prevention).
Healthcare clearinghouses: entities that process nonstandard information they receive from another entity into a standard
Business associates: a person or organization using or disclosing health information to perform or provide functions, activities, or services for a covered entity

It is also important to note there are several permitted uses and disclosures of patient health information. For instance, covered entities are permitted to disclose health information without a patients’ authorization for health oversight activities, judicial and administrative proceedings, law enforcement, identification of deceased persons, victims of abuse, and the prevention of a serious threat to health and safety (Centers for Disease Control and Prevention).

Overall, though there are some risks, exceptions, and required disclosures inherent to protecting patients’ health information, there are several standards under HIPAA that aim to protect patient confidentiality as much as possible.

Bibliography

Centers for Disease Control and Prevention. “Health Insurance Portability and Accountability Act of 1996 (HIPAA).” Centers for Disease Control and Prevention, 14 Sept. 2018, www.cdc.gov/phlp/publications/topic/hipaa.html.

Sobers, Rob. “What Is HIPAA and Why Should I Care?” Inside Out Security, 30 Mar. 2020, www.varonis.com/blog/what-is-hipaa-and-why-should-you-care/.

William C. Shiel Jr. “Definition of HIPAA.” MedicineNet, 21 Dec. 2018, www.medicinenet.com/script/main/art.asp?articlekey=31785.