HIPAA: It’s a Private Matter
HIPAA has become a familiar term to anyone who provides or receives health care, which would include nearly each person alive. If you are the patient, you are informed of your rights prior to receiving your care. If you are the healthcare provider, you have been instructed on the importance, the relevance and the legality of the patient’s privacy. For the patient, it may become an annoying redundancy, but it is there primarily to protect the patient’s right to privacy.
HIPAA is an acronym standing for Health Information Portability and Accountability Act. It was signed into law and enacted in 1996 by President Clinton. There are five section or titles, summarized briefly as follows:
Title 1: Protects health insurance coverage for individuals who lose or change jobs, and prevents health plans from denying coverage to individuals with specific diseases and pre-existing conditions, as well as prohibiting the setting of lifetime coverage limits.
Title 2: Directs the U.S. Department of Health and Human Services to establish national standards for the processing and transmission of electronic healthcare information.
Title 3: Details tax-related provisions and guidelines for medical care.
Title 4: Further defines health insurance reform
Title 5: Provisions on company-owned life insurance and treatment of those who lose their U.S. Citizenship for income tax purposes.
For the vast majority of the population, Title 2 is the only part of HIPAA that directly affects us. HIPAA compliance term most commonly used to refer to the protection of confidential health information, whether it be through electronic, written or verbal transfer. While it was signed into law in 1996, its full enforcement of the privacy Title for covered entities didn’t begin until April 2003.
With the rise in electronic medical information systems, as well as the electronic storage and transfer of such records, the possibility that confidential information may be compromised increases, as does any electronically stored and transferred personal information. Credit card and bank account numbers are another example of highly confidential information that is stored and transferred electronically, and these systems, too, are at risk for security breaches as all of us have at least heard of, or, worse yet, experienced the nightmare of such information being compromised.
Health care information is sensitive in a more highly personal and private way. Most of us have health information that we don’t want to be turned into general information for easy access to online. Further, we don’t want our health care providers sharing it for inappropriate reasons. The HIPAA laws protect our rights as patients in order to keep any information from being shared, with potential legal consequences for the medical providers who share them illegally. These consequences typically include fines, but may also involve jail time for extreme cases.
The following examples are all illustrations of the various ways in which your privacy rights may be violated as a patient in our medical system:
- A secretary leaves a fax detailing your private health information laying on the counter in the medical office where staff members and other patients can easily see it.
- Two nurses are discussing the recent surgery results of a patient on their floor while they sit on an outdoor patio having lunch with others in earshot. They use her first name and her room number, as well as the street she lives on, as this is a relatively small town and one nurse want to clarify to the other exactly who she is.
- Your doctor approaches you when you are dining out in public with friends to ask how you are feeling since your last visit. He asks if your condition has improved.
- A hospital nurse sees that her neighbor has been admitted, but he is not her patient. She has electronic access to all current records, so she logs on to his account to see why he has been admitted.
- A doctor’s office has a “Welcome to Our Practice” board posted with the first and last names of new patients listed.
- A doctor is relaying health information by phone to another doctor, including the patient’s name, birthdate, diagnosis and symptoms. There are family members visiting another patient nearby within earshot.
- An insurance company requests more than the “minimum necessary” information, and the secretary gives them confidential information that, legally, isn’t necessary for this particular insurance business interaction, which only authorized the release of the patient’s name, address, birthday and other such information.
- A hospital housekeeper knows why her neighbor is receiving treatment from what she has overheard from the nurses and doctors talking about him. Another neighbor asks her what she knows, and she tells her the information she heard exchanged between the doctor and nurse.
- A nurse has logged on to a patients clinical record, and steps away from her computer for a few minutes to tend to another patient. The computer screen can be seen by anyone standing at the counter.
- A family member who is not authorized to receive confidential information calls to ask questions about the patient. Without checking to see if this family member is listed by the patient as an approved contact, the nurse answers all the questions concerning the patient’s condition.
- Without the parent’s consent, a doctor’s office releases confidential information about a minor child to another physician’s office.
- Your child is having his broken arm cast in a procedure room of a clinic. On the wall in this procedure room is a list of scheduled procedures for the day, including first and last names of all scheduled patients.
- At your chiropractor’s office, are required to sign your name on a list on the counter to show you have arrived. Your name, as well as everyone else’s, is visible to anyone who approaches the counter.
Any of these situations are considered HIPAA violations. Some are blatant, some are not so obvious. There are many gray areas, and each potential situation warrants close examination to determine, if indeed, a violation did occur.
If, as a patient, you feel your rights have been violated, you can file a complaint with the U.S. Department of Health and Human Services. This can be filed online by logging on to HHS.gov, which is then handled by the Office for Civil Rights (OCR). If you prefer to make the complaint in writing, you can do so with their instructions provided online. It can also be submitted by fax. The following information must be included:
- your name—you can request that it is not disclosed within the claim, but it must be on record in order for you to file it.
- full address
- telephone and email addresses
- name and contact information of the agency in question
- brief description of what happened
- any other relevant information
- your signature
If you need special accommodations due to disabilities in filing your complaint, you can make them aware of your needs and you will be informed of the help available.
Your claim must be filed within 180 days of its occurrence, unless you are able to show “good cause” for a claim past that date, such as an extended illness.
Under HIPAA law, an entity or agency cannot retaliate against you for filing a complaint. If you feel you have experienced such retaliation, you are encouraged to report it the Office for Civil Rights (OCR).
Not all entities are required to comply with HIPAA rules, and only covered entities can be investigated. These include most:
- Physical, Occupational and Speech Therapists
- Nursing homes
- Health Insurance Companies
- Company Health Plans
- Medicare, Medicaid and other governmental health plans
There are special circumstances under which some protected health information may be released without your consent, such as in a criminal investigation or public health crises.
While HIPAA is designed to protect the patient, it is not without its challenges in its attempts to keep private information private. It is controlled and interpreted by the United States Department of Health and Human Services (HHS), not a local agency. Therefore, an individual cannot take action against an entity such as a clinic or hospital, they must instead file a claim through HHS. The enforcement of HIPAA is limited by shortcomings such as limited staff and expenditures in HHS. In addition, the health care providers have been forced to hire more staff to enforce HIPAA, which increases their costs, which is, in turn, typically passed on to the patient in their billing for services.
In terms of billing, a patient doesn’t have to give their consent to have their insurance billed, which takes away the patients right to determine which claims they want their insurance company to see, as well as their right to self-pay, if they so choose. Finally, some providers contract with other outside sources for billing and legal services. The patient does not have a legal right to determine which outside sources may see your records. There are signed contracts that keep the information confidential, but if there is a violation, there is little that can be done as an individual.
Prior to the enactment of HIPAA, there was no national law enforcing patient privacy. There were rules and guidelines, but no national policy that provided for consequences when privacy was violated. Those were the days of less restriction for medical providers, but more risk for private health information to be accidentally or purposely shared. In those days, you may have seen first and last names written in plain view on a board behind the nurse’s desk. You may have heard first and last names called freely in a clinic. Encryption was relatively unheard of in the medical setting. Your health information may have been shared with little regard for confidentiality. HIPAA has provided for stringent laws that protect the patient from their private information being shared when it shouldn’t be. These post-HIPAA days are here to stay, and for those of us who are patients, despite the extra paperwork, time and attention it takes, we should be thankful.