The Healthcare Insurance Portability and Accountability Act (HIPAA) has been the gold standard for healthcare regulations and patients rights since the laws were passed on August 21, 1996 in the United States. These laws have been updated and added to several times over the course of the past 22+ years with the intention of keeping patients and their personal information safe. It is similar to the PCI DSS requirements that have constantly being altered to protect consumer payment card information.
As the years progress, more healthcare organizations that deal with public health issues are utilizing more innovative technology in their daily routines with patient protected healthcare information (PHI) being stored for use in being recalled by doctors and patients at their request. This might be convenient at times, but if the storage of patient PHI is not done properly, it can put that sensitive patients care information at risk if the organizations security system were to be breached.
With 2,181 healthcare data breaches reported from 2009 to 2017 that caused nearly 177 million healthcare records to be stolen or exposed, it is paramount that all healthcare organizations follow HIPAA to ensure that patient records are completely protected. This article aims to cover the specific portions of HIPAA and the HIPAA Privacy Act that details patient rights. We will also address the best ways for healthcare organizations to maintain HIPAA compliance to protect their patients sensitive personal information through HIPAA compliance solutions.
What is HIPAA?
Before we get too deep down the HIPAA patients rights rabbit hole, lets backtrack and give a quick overview of what HIPAA is and what it does for both healthcare organizations and patients. Firstly, HIPAA was passed by the U.S. Congress in 1996 with the goal of providing patients with greater access to health insurance while also providing them with peace of mind that their privacy of healthcare data was in good hands with the healthcare provider. HIPAA also was enacted to promote a more standardized and efficient operations platform (backbone) for the health care industry to operate under. In short, HIPAA was put into place to make the complex healthcare industry run like a well-oiled machine.
Patient HIPAA Rights
Within HIPAA privacy rule, there are many sections that were constructed for protecting patients rights by holding healthcare providers accountable for how protected health information (PHI) is reviewed, used, and disclosed. Healthcare providers must implement the necessary safeguards to ensure the PHI remains private and that the disclosure of PHI is done in an appropriate manner. The massive list of rules that are constantly being updated and added to have become fairly confusing for both patients and practitioners. Without further ado, lets dive in and break down the sections of HIPAA where patients rights are addressed to help you understand what your rights as a patient are when you supply your healthcare provider with your PHI.
Patient Rights under HIPAA regulations begin with the patient’s rights to receive a Notice of Privacy Practices (NPP). This rule is a primary Patient Right under HIPAA as it deals with the description of the types of uses and disclosures of patient PHI a covered entity is permitted to make. The NPP rule requires that NPPs include a statement to the patient noting when any of their PHI is to be used for certain kinds of promotional or marketing purposes that the disclosure of the patients information would require their authorization. Some NPPs also include an optional section that will alert the patient’s friends or relatives about a treatment if one has been scheduled by the healthcare provider. Healthcare organizations that post their NPPs on their websites are required to notify individuals in their next annual mailing before the effective date of any revisions to their websites to avoid receiving a fine.
Also Read: Top 5 Components of HIPAA Privacy Rule
Patients should receive the NPP on their first visit to a provider, and providers should post the notice where patients may see it in the office or facility. The NPP rule requires that a patients doctor, hospital, or other healthcare provider ask them to state in writing that they have received the NPP and understand what the NPP is comprised of. If a patient doesnt agree with the details of the NPP for any reason, they are well within their rights to refuse to sign the acknowledgement of receipt of the NPP, but their refusal to sign does not prevent their healthcare provider from using or disclosing their PHI. This might sound disheartening to patients who disagree with the signing of their NPP, but rest assured that your refusal to sign the acknowledgement of receipt must be documented by your provider. Any undocumented refusals by the healthcare provider will ultimately lead to big fines due to HIPAA noncompliance.
Under the Right to Access PHI rule, patients have a right to receive a copy of their PHI in either electronic or paper formats. This rule deals with the divulging of medical and billing records as well. Furthermore, if a patient requests to receive their own PHI from one or more designated record sets, the covered entity must provide them access via the format that they have requested. If that PHI format is not available because it is not maintained in said format, the entity must provide the patient with their requested PHI in a readable electronic format that is agreed to by both parties.
If the individual directs the covered entity to transmit a copy of the individual’s PHI to another individual, the covered entity must comply in transmitting the PHI to the designated person. Any such request should be given by the patient to the covered entity in writing with clear identification of the designated person. Following this request, covered entities have thirty (30) days to appropriately fulfill the patients request.
Under this rule, patients have the right to inspect their PHI and to obtain a copy of it, request an amendment to their PHI, request restrictions on the uses and disclosures of their PHI, and request that the covered entity communicate with them about their PHI at an alternative location or via alternative means. The individuals PHI can be amended for as long as the covered entity maintains the PHI in a designated record set. Requests to amend PHI must be in writing with a reason to support a requested amendment. From there, the covered entity must act on the request no later than 60 days after receipt of such a request. If the covered entity is unable to act within the required time limit, they may extend the time by no more than 30 days, if they are able to provide the patient with a written statement of the reasons for the delay and the proposed date that the patient should receive the amendment on.
If the amendment is granted, in whole or in part, the covered entity must make the correction and inform the patient of the agreement in a timely manner. From there, the covered entity must distribute the overview of the correction to all individuals requesting the amendment to the PHI and those who are currently in possession of the PHI. If the requested amendment is denied, in whole or in part, the covered entity must provide the individual with a timely written denial. The denial written by the covered entity must use plain language and contain all elements required by HIPAA including the basis for the denial and the patients right to submit a written statement in response to the denial.
Patients can also request to disclose their PHI to other entities or individuals outside the healthcare organization. This includes information related to treatment, payment, or health care operations. In these cases, the patient is not required to sign any type of authorization form. Any disclosures that are not part of treatment, payment, and/or operations and not authorized by the patient must be actively tracked by the covered entity. A patients request for the accounting (itemized list) of their disclosures must be provided to them by the covered entity. The accounting of disclosures can go back to the past six years for carrying out treatment, payment and health care operations from which the request to exercise this right is made.
This rule is technically a culmination of the previous five HIPAA patients rights rules. In this rule, patients have the freedom to choose which individual or entity that they wish to disclose or restrict their PHI to. The areas that patients can request restrictions on are for PHI pertaining to treatment, payment, and health care operations as well as the disclosure of PHI to family members, friends, and others involved in their immediate care. Covered entities must comply to a patients request to restrict disclosures of their PHI if the information pertains solely to items or services paid out of pocket and in full. Covered entities are also restricted from disclosing a patients PHI that is comprised of genetic information for underwriting purposes without the patients consent.
HIPAA Compliance Solutions
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) is the federal agency that oversees HIPAA compliance. The largest fine to date was the $5.5 million fine levied against Memorial Healthcare Systems in 2017 for improperly accessing confidential PHI from more than 115,000 patients. Several years prior in 2010, Cignet Health of Maryland was slapped with a $4.3 million fine for ignoring patients’ requests to obtain copies of their own records and repeatedly ignoring federal officials’ inquiries. More than 173 million patients PHI being affected via a data breach of some kind since October 2009 which has resulted in damage to families and the reputation of those healthcare organizations. The below chart can give you a more in-depth overview of where these data breaches originate from:
|Year||Provider||Health Plan||Business Associate||Other||Total|
The above table might not make much since at first glance, but when the numbers are charted into a more visually appealing format, it is much easier to understand the trends in Data Breaches in the Healthcare industry:
As we can see, health plans, business associates, and other entities have either leveled out and/or decreased in the number of data breaches they have witnessed over the past nearly 10 years. On the other hand, healthcare providers have still seen a large uptick that doesnt look to be slowing down since 2009. For this number of breaches to start declining, there needs to be a larger focus on HIPAA compliance in the future for all healthcare organizations.
With 78% of U.S healthcare providers having had experienced a successful email-related cyberattack, we can see that it is imperative for healthcare providers to maintain consistent employee education and awareness training to combat these cyberattacks. Healthcare providers need to stop simply checking the boxes of HIPAA compliance and take it one step further in developing a comprehensive approach to security and privacy awareness to educating users on how to spot a phishing attack. HIPAA compliance is incredibly useful, but if the healthcare providers culture is not fully security-aware, it will ultimately not be effective at decreasing the growing number of data breaches.
For those believing that their HIPAA rights have been violated by a covered entity or that the covered entity had committed other HIPAA violations, you can file a complaint with the Office for Civil Rights in the U.S. Department of Health and Human Services (HHS). Once the complaints have been submitted to the HHS, OCR can investigate said complaints against the covered entities. Through concentrated efforts by patients to stand up for their entitled HIPAA rights and the efforts of covered entities to protect patient PHI and adhere to HIPAA rules, the healthcare industry can become a much safer place to operate. For entities unfamiliar with cyber security protocol or or unsure if they are covering all of the bases, contact RSI security to seek cyber security solutions now.