The Healthcare Insurance Portability and Accountability Act (HIPAA) has been the gold standard for healthcare regulations and patient rights since the law was passed in 1996 by the U.S. government. HIPAA has been updated and added to several times over the course of the past 22 years with the intention of keeping patients and their personal information secure.
Today, more healthcare organizations that deal with public health issues are utilizing innovative technology. Their daily routines regarding patient protected healthcare information (PHI) being stored for use in being recalled by doctors and patients at their request is driving this trend. While technology increases convenience, if the storage of patient PHI is not done properly, it can put that sensitive patients care information at risk if security systems are breached. HIPAA is designed to prevent such scenarios.
With 2,181 healthcare data breaches reported from 2009 to 2017 that caused nearly 177 million healthcare records to be stolen or exposed, it’s paramount that all healthcare organizations follow HIPAA to ensure that patient records are completely protected. Here we’ll cover the specific portions of HIPAA and the HIPAA Privacy Act that details patient rights. We’ll also address the best ways for healthcare organizations to maintain HIPAA compliance to protect their patients’ sensitive personal information through HIPAA compliance solutions.
Why Does HIPAA Exist?
Before going too deep down the HIPAA patient rights rabbit hole, let’s backtrack and give a quick overview of what HIPAA is and what it does for both healthcare organizations and patients. First, HIPAA was passed by the U.S. Congress in 1996 with the goal of providing patients with greater access to health insurance while also providing them with peace of mind that their privacy of healthcare data was in good hands with their provider. HIPAA also promotes a more standardized and efficient operations platform and backbone for the healthcare industry to operate under. In short, HIPAA was put into place to make the healthcare industry more secure.
Assess your HIPAA Compliance
Patient Rights Under HIPAA
Within HIPAA privacy rule, there are many sections that were constructed for protecting patient’s rights by holding healthcare providers accountable for how PHI is reviewed, used, and disclosed. Healthcare providers must implement the necessary safeguards to ensure the PHI remains private and that the disclosure of PHI is done in an appropriate manner. The massive list of rules that are constantly being updated and added to have become fairly confusing for both patients and practitioners. Without further ado, let’s dive in and break down the sections of HIPAA where patient’s rights are addressed to help you understand what your rights as a patient are when you supply your healthcare provider with your PHI.
1. The Right to Notice of Privacy Practices (NPP)
Patient Rights under HIPAA regulations begin with the patient’s rights to receive a Notice of Privacy Practices (NPP). This rule is a primary Patient Right under HIPAA as it deals with the description of the types of uses and disclosures of patient PHI a covered entity is permitted to make. The NPP rule requires that NPPs include a statement to the patient noting when any of their PHI is to be used for certain kinds of promotional or marketing purposes that the disclosure of the patients’ information would require their authorization. Some NPPs also include an optional section that will alert the patient’s friends or relatives about a treatment if one has been scheduled by the healthcare provider. Healthcare organizations that post their NPPs on their websites are required to notify individuals in their next annual mailing before the effective date of any revisions to their websites to avoid receiving a fine.
Patients should receive the NPP on their first visit to a provider, and providers should post the notice where patients may see it in the office or facility. The NPP rule requires that a patient’s doctor, hospital, or other healthcare provider ask them to state in writing that they have received the NPP and understand what the NPP is comprised of. If a patient doesn’t agree with the details of the NPP for any reason, they are well within their rights to refuse to sign the acknowledgment of receipt of the NPP, but their refusal to sign does not prevent their healthcare provider from using or disclosing their PHI. This might sound disheartening to patients who disagree with the signing of their NPP, but rest assured that your refusal to sign the acknowledgment of receipt must be documented by your provider. Any undocumented refusals by the healthcare provider will ultimately lead to big fines due to HIPAA noncompliance.
2. The Right to Access PHI
Under the Right to Access PHI rule patients have a right to receive a copy of their PHI in either electronic or paper formats. This rule deals with the divulging of medical and billing records as well. Furthermore, if a patient requests to receive their own PHI from one or more designated record sets, the covered entity must provide them access via the format that they have requested. If that PHI format is not available because it is not maintained in said format, the entity must provide the patient with their requested PHI in a readable electronic format that is agreed to by both parties.
If the individual directs the covered entity to transmit a copy of the individual’s PHI to another individual, the covered entity must comply in transmitting the PHI to the designated person. Any such request should be given by the patient to the covered entity in writing with clear identification of the designated person. Following this request, covered entities have thirty (30) days to appropriately fulfill the patients’ request.
3. The Right to Amend PHI
Under this rule, patients have the right to inspect their PHI and to obtain a copy of it, request an amendment to their PHI, request restrictions on the uses and disclosures of their PHI, and request that the covered entity communicates with them about their PHI at an alternative location or via alternative means. The individual’s PHI can be amended for as long as the covered entity maintains the PHI in a designated record set. Requests to amend PHI must be in writing with a reason to support a requested amendment. From there, the covered entity must act on the request no later than 60 days after receipt of such a request. If the covered entity is unable to act within the required time limit, they may extend the time by no more than 30 days, if they are able to provide the patient with a written statement of the reasons for the delay and the proposed date that the patient should receive the amendment on.
If the amendment is granted, in whole or in part, the covered entity must make the correction and inform the patient of the agreement in a timely manner. From there, the covered entity must distribute the overview of the correction to all individuals requesting the amendment to the PHI and those who are currently in possession of the PHI. If the requested amendment is denied, in whole or in part, the covered entity must provide the individual with a timely written denial. The denial written by the covered entity must use plain language and contain all elements required by HIPAA including the basis for the denial and the patient’s right to submit a written statement in response to the denial.
4. The Right to Accounting of Disclosures of PHI
Patients can also request to disclose their PHI to other entities or individuals outside the healthcare organization. This includes information related to treatment, payment, or health care operations. In these cases, the patient is not required to sign any type of authorization form. Any disclosures that are not part of treatment, payment, and/or operations and not authorized by the patient must be actively tracked by the covered entity. A patient’s request for the accounting (itemized list) of their disclosures must be provided to them by the covered entity. The accounting of disclosures can go back to the past six years for carrying out treatment, payment and health care operations from which the request to exercise this right is made.
5. The Right to Request PHI Usage Restrictions
This rule is technically a culmination of the previous five HIPAA patients’ rights rules. In this rule, patients have the freedom to choose which individual or entity they wish to disclose or restrict their PHI to. The areas that patients can request restrictions on are for PHI pertaining to treatment, payment, and health care operations as well as the disclosure of PHI to family members, friends, and others involved in their immediate care. Covered entities must comply with a patient’s request to restrict disclosures of their PHI if the information pertains solely to items or services paid out of pocket and in full. Covered entities are also restricted from disclosing a patient’s PHI that is comprised of genetic information for underwriting purposes without the patient’s consent.
Are There Solutions to HIPAA Compliance?
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) is the federal agency that oversees HIPAA compliance. The largest fine to date was the $5.5 million fine levied against Memorial Healthcare Systems in 2017 for improperly accessing confidential PHI from more than 115,000 patients. Several years prior in 2010, Cignet Health of Maryland was slapped with a $4.3 million fine for ignoring patients’ requests to obtain copies of their own records and repeatedly ignoring federal officials’ inquiries. More than 173 million patients PHI being affected via a data breach of some kind since October 2009 which has resulted in damage to families and the reputation of those healthcare organizations.
The below chart can give you a more in-depth overview of where these data breaches originate from:
| Year | Provider | Health Plan | Business Associate | Other | Total |
| 2009 | 14 | 1 | 3 | 0 | 18 |
| 2010 | 134 | 21 | 44 | 0 | 199 |
| 2011 | 137 | 20 | 42 | 1 | 200 |
| 2012 | 155 | 22 | 36 | 4 | 217 |
| 2013 | 199 | 18 | 56 | 5 | 278 |
| 2014 | 202 | 71 | 41 | 0 | 314 |
| 2015 | 196 | 62 | 11 | 0 | 269 |
| 2016 | 257 | 51 | 19 | 0 | 327 |
| 2017 | 288 | 52 | 19 | 0 | 359 |
| Total | 1582 | 318 | 271 | 10 | 2181 |
Source:https://www.hipaajournal.com/healthcare-data-breach-statistics/
The above table might not make much at first glance, but when the numbers are charted into a more visually appealing format, it’s much easier to understand the trends in Data Breaches in the Healthcare industry.
As we can see, health plans, business associates, and other entities have either leveled out and/or decreased in the number of data breaches they have witnessed over the past nearly ten years. On the other hand, healthcare providers have still seen a large uptick that doesn’t look to be slowing down since 2009. For this number of breaches to start declining, there needs to be a larger focus on HIPAA compliance in the future for all healthcare organizations.
With 78 percent of U.S healthcare providers having had experienced a successful email-related cyberattack, we can see that it is imperative for healthcare providers to maintain consistent employee education and awareness training to combat these cyberattacks. Healthcare providers need to stop simply checking the boxes of HIPAA compliance and take it one step further in developing a comprehensive approach to security and privacy awareness to educating users on how to spot a phishing attack.
HIPAA compliance is incredibly useful, but if the healthcare providers’ culture is not fully security-aware, it will ultimately not be effective at decreasing the growing number of data breaches. Healthcare organizations need to leverage the latest cybersecurity innovations like Personal Identifiable Information (PII) scanner technology to keep PHI safe and secure.
Closing Thoughts
For those believing that their HIPAA rights have been violated by a covered entity or that the covered entity had committed other HIPAA violations, you can file a complaint with the Office for Civil Rights in the U.S. Department of Health and Human Services (HHS). Once the complaints have been submitted to the HHS, OCR can investigate said complaints against the covered entities.
Through concentrated efforts by patients to stand up for their entitled HIPAA rights and the efforts of covered entities to protect patient PHI and adhere to HIPAA rules, the healthcare industry can become a much safer place to operate. For entities unfamiliar with cybersecurity protocol or unsure if they are covering all of the bases, contact RSI security for HIPAA-compliant cybersecurity solutions now.
Download Our Complete Guide to Navigating Healthcare Compliance Whitepaper
Not sure if your HIPAA or healthcare compliance efforts are up to snuff? Unsure about where to even start? Download RSI Security’s comprehensive guide to navigating the HIPAA and healthcare compliance labyrinth. Upon filling out this brief form you will receive the whitepaper via email.