HIPAA rights: What they are, who they apply to, and more

Medical News Today

4 days ago

What are they?
Who must follow them?
Who does not?
FAQ
Summary
The Health Insurance Portability and Accountability Act (HIPAA) protects patient health information and provides individuals with rights to control the use and disclosure of their health information.
The United States enacted HIPAA in 1996. HIPAA applies to organizations, healthcare professionals, and insurers who handle patient data.
This article looks at HIPAA rights, who must follow HIPAA regulations, and which information HIPAA protects. FreshSplash/Getty Images
HIPAA rights are federal laws that protect a person's privacy and security in relation to their health information.
The Right to Access allows people to access their protected health information (PHI). Healthcare professionals must provide individuals access to their PHI within 30 days of requesting it. People can also request an electronic or hard copy of the information.
The Right to Access includes all health-related information, except information that a healthcare professional collects for legal purposes or psychotherapy notes.
An individual can request a change to their PHI if they believe their health information is incomplete or inaccurate.
The covered entity must respond to the request for amendment within 60 days of receiving the request. A covered entity refers to a healthcare professional or organization that handles patient data and is required to follow HIPAA regulations.
An individual has the Right to Request Restrictions on the use and disclosure of their PHI. This includes: disclosure to people involved in an individual's healthcare or billing
disclosure to notify others, such as family members, of a person's condition, location, or death
If covered entities agree to the request, they must follow the restrictions, except when treating someone in a medical emergency. Covered entities have no obligation to agree to restriction requests.
They have a right to request an alternative method of communication to the one that the covered entity may typically use. People can also request a certain address for receiving communication.
Accounting of Disclosures is a record detailing why and when a covered entity disclosed a person's PHI, which people have a right to access.
Covered entities do not need to account for disclosures for healthcare operations, treatment, or payment. Covered entities must keep accounting of disclosure records for six years.
A covered entity must receive written authorization from the individual to use or disclose any PHI that is not for healthca re operations, treatment, or payment purposes.
An individual has the right to revoke their authorization of the use or disclosure of their PHI at any time. People must make the request in writing, which becomes effective once the covered entity receives it.
The HIPAA Privacy Rule requires covered entities to provide a Notice of Privacy Practices (NPP) and abide by the terms. These terms include: how the covered entity may use or disclose a person's PHI
the duties of the covered entity to protect the privacy of the individual, and a description of their rights
stating the right a person has to complain to the covered entity and the U.S. Department of Health and Human Services (HHS) if they believe there has been a violation of their privacy rights
providing a point of contact for making complaints or requesting further information
The following covered entities must follow HIPAA regulations: Health plans: This includes health insurance companies, company health plans, and government healthcare programs such as Medicare and Medicaid.
This includes health insurance companies, company health plans, and government healthcare programs such as Medicare and Medicaid. Healthcare providers: This describes providers who carry out electronic transactions, such as sending a health bill electronically. This includes most providers such as hospitals, clinics, healthcare professionals, pharmacies, and nursing homes.
This describes providers who carry out electronic transactions, such as sending a health bill electronically. This includes most providers such as hospitals, clinics, healthcare professionals, pharmacies, and nursing homes. Healthcare clearinghouses: A healthcare clearinghouse is a third-party organization that processes data between entities, such as between healthcare providers and insurance companies.
A healthcare clearinghouse is a third-party organization that processes data between entities, such as between healthcare providers and insurance companies. Business associates: Business associates of covered entities must also follow HIPAA regulations. Business associates are people or companies outside of the covered entity who may need to access PHI, such as lawyers, IT specialists, or billing companies.
In many cases, the following organizations do not have to follow HIPAA regulations: employers
schools and school districts
law enforcement agencies
state agencies, such as child protective services
municipal offices
life insurers
workers compensation carriers
The following information is protected under HIPAA regulations: information in a person's medical record from healthcare professionals
conversations between healthcare professionals about a person's healthcare and treatment, such as between a doctor and a nurse
personal information stored in a health insurer's computer system
a person's billing information at a clinic
most health information that a covered entity holds about an individual
Under HIPAA regulations, health information is protected in the following ways: safeguards that covered entities and business associates must put in place to protect PHI and prevent improper use or disclosure of PHI
covered entities must only use, disclose, or request the 'minimum necessary' information to meet the intended purpose
procedures that covered entities must put in place to limit who is able to access health information
covered entities must carry out training programs for employees on protecting health information
Under HIPAA regulations, health information can be looked at and received for the following reasons: coordinating a person's treatment and care
healthcare payments
other people involved in a person's healthcare or billing, unless the person objectsensuring cleanliness, safety, and proper care in healthcare facilities
public health protection, such as reporting local flu outbreaks
necessary police reports, such as gunshot wounds
However, an individual's health information cannot be used or shared without their written permission unless this law allows it.
For example, without authorization from the individual, a provider generally cannot: give an individual's information to their employer
use or share their information for marketing or advertising purposes
sell their information
HIPAA rights help protect the privacy and use of an individual's health information. Examples of HIPAA rights include the Right to Access, the Right to Request Amendments, and the Right to Request Restrictions.
Certain covered entities must comply with HIPAA rights, such as health plans, providers, and clearinghouses.
People may want to contact a healthcare professional or the HHS for more information about HIPAA rights.
Health Insurance / Medical Insurance
Regulatory Affairs / Drug Approvals