Many people are likely to encounter the five-letter acronym ‘HIPAA’ in healthcare settings. It stands for a public law officially named “The Health Insurance Portability and Accountability Act of 1996.” HIPAA, as it’s now called, was based on legislation first introduced by Senators Ted Kennedy and Nancy Kassebaum.
Jump ahead to these sections:
They saw the need to amend the Internal Revenue Code of 1986 to “improve portability and continuity of health insurance coverage ... combat (healthcare) waste, fraud, and abuse… promote the use of medical savings accounts, improve access to long-term care services... simplify the administration of health insurance, and for other purposes.”
When President Bill Clinton signed HIPAA into law on August 21st, he made note of the section we’re most familiar with today: “It will modernize, streamline, and cut the cost of insurance paperwork by devising a uniform electronic system for paying health care claims. It will provide steps to protect the privacy of people in the system as it does so.”
Despite its ambitious origins, HIPAA can be boiled down to its basic intent as people recognize it nowadays: to protect sensitive medical information. But what does HIPAA do for your everyday person? How does it work?
What most people simply think of as “HIPAA” is more specifically related to the one part of the law that required the Department of Health and Human Services (HHS) to develop regulations to protect confidential health information. HHS issued its first set of rules on December 28, 2000 as the “Standards for Privacy of Individually Identifiable Health Information.”
HHS issued additional rules in 2013 related to the Health Information Technology for Economic and Clinical Health (HI-TECH) Act, and again in 2016 regulating information shared with the National Instant Criminal Background Check System (NICS).
These combined "privacy rules” are what we talk about when we talk about HIPAA.
The introduction of the HHS privacy rules says that “Privacy is a fundamental right… Among different sorts of personal information, health information is among the most sensitive.“
One purpose of the HIPAA privacy rules is to identify each of the many pieces of data collectively called “protected health information,” also known as PHI.
A person’s protected health information consists of any information that, if shared, would allow someone else to identify and link them to some aspect of their health situation or medical record. It can be in any form — electronic data, printed or written on paper, even spoken words can be considered PHI.
The HIPAA privacy rules detail ways clinical and other staff may use PHI in the course of their duties, along with how they must protect it.
These regulations set forth the responsibilities of healthcare organizations for, among other things, training staff and providing secure methods for storing and accessing PHI. They also establish penalties for noncompliance.
Just about every person in healthcare has some contact with some form of PHI, from the administrative and support staff working in offices and around the facility, to the nurses, doctors, technicians, and others providing direct patient care. Every one of them is responsible for complying with the HIPAA privacy rules.
All of these staff members also need to access and share this sensitive information to some extent in order to perform their work. To comply with HIPAA privacy rules, it’s important to only share the information needed in any given situation.
For example, a nurse requesting a test will provide the lab only with the PHI that will enable it to obtain the right sample on the right patient and report the result.
Healthcare organizations are responsible for training staff about their responsibilities related to HIPAA privacy rules and PHI, for limiting access to PHI to authorized users, and for securely storing it no matter what form it’s in.
The methods for doing so can include protecting access and storage with security software and data encryption. Another common technique is using locked cabinets to store discarded paper records until they’re shredded.
HIPAA is what keeps this information under lock and key, but as hacking techniques improve, healthcare providers are under increasing pressure to manage this data securely and keep it airtight.
Q: What information is protected by HIPAA?
HIPAA privacy rules define a wide range of data as Protected Health Information (PHI). This includes any clinical information in a medical record such as a diagnosis, test result, or progress note, as well as non-clinical information like name, address, or age.
PHI is data that, if shared, could be used to identify someone and their health situation, no matter how vague or incomplete it might seem on the surface.
Q: What are common HIPAA violations?
According to the HIPAA Journal, individual employees most often violate HIPAA privacy rules when they access a record they have no legitimate reason to, such as looking up a neighbor, friend, or co-worker.
Another frequent violation is leaving a laptop, smartphone, or another device with access to PHI unattended or unsecured. The same is true for paper records and charts — all must remain under control and be carefully protected from unauthorized access.
Copying PHI onto a thumb drive or emailing it to a personal account is also a privacy violation, and could even be considered theft.
The most common HIPAA violation by healthcare employers is failing to conduct a regular risk assessment throughout the organization, to determine whether its PHI is vulnerable. While such analysis may be time consuming and expensive, not doing so places the organization and the people it serves at-risk for PHI to being improperly accessed, stolen, or misused.
Q: Who undergoes HIPAA training at a hospital?
Just about anyone working in a healthcare setting is likely to encounter PHI in the course of their work. HIPAA training is included in all employee orientation programs and is an important part of the annual review for clinical staff of required skills and competencies.
Q: Who is exempt from the privacy provisions of HIPAA?
Anyone who does not handle PHI (create, receive, maintain, or transmit) is exempt from the privacy rules.
HIPAA Protects Everyone
Our relationship with our clinicians is based on trust. They trust us to provide them with accurate information that can guide our diagnosis and treatment. In turn, we trust them to use our personal information appropriately and protect it as carefully as anything else we value.
- “Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule and the National Instant Criminal Background Check System (NICS).” Federal Register, U.S. Department of Health and Human Services, Office of Civil Rights, 6 January 2016, www.federalregister.gov/documents/2016/01/06/2015-33181/health-insurance-portability-and-accountability-act-hipaa-privacy-rule-and-the-national-instant
- “Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules.” Federal Register, U.S. Department of Health and Human Services, 25 January 2013,
- “Public Law 104 - 191 - Health Insurance Portability and Accountability Act of 1996.” GovInfo.gov, U.S. Department of Health and Human Services, 21 August 1996, www.govinfo.gov/app/details/PLAW-104publ191
- ”Remarks on Signing the Health Insurance Portability and Accountability Act of 1996.” GovInfo.gov, U.S. Department of Health and Human Services, 21 August 1996, www.govinfo.gov/content/pkg/WCPD-1996-08-26/pdf/WCPD-1996-08-26-Pg1477.pdf
- “Standards for Privacy of Individually Identifiable Health Information.” Federal Register, U.S. Department of Health and Human Services, 28 December 2000, www.federalregister.gov/documents/2000/12/28/00-32678/standards-for-privacy-of-individually-identifiable-health-information
- “The Most Common HIPAA Violations You Should Be Aware Of.” HIPAA Journal, HIPAA Journal, 26 April 2019, www.hipaajournal.com/common-hipaa-violations/