HIPAA Law and the Privacy Rule to Protect Your Medical Information

Protecting the Privacy of Your Medical Records

medical technology concept, human body and vital sign
••• chombosan / Getty Images

We are all concerned about privacy with the massive amount of information and personal data stored electronically today, if you wonder what your health care provider is doing to protect your healthcare information, it helps to know about HIPAA Law and the Privacy Rule to Protect Your Medical Information.

Health plans, health care clearinghouses, health care providers who transmit health information have standards that they have to abide by, but there are also companies who do not have to follow these rules. Here's how to know who you can trust with your personal data, and what the HIPAA Law and Privacy and Security Rules mean for you.

Is Your Health Information Safe?

HIPAA and Privacy and Security Rules have been in place to protect your private healthcare data starting in 1996. As technology has changed and information has become more accessible there have also been revisions due to our changing environment and advancements in technology through the years. All of these regulations have been put in place to help keep your private information secure.

What Is the HIPAA Law and Privacy Rule?

The Health Insurance Portability and Accountability Act (HIPAA) and the HIPAA Privacy Rule set the standard for protecting sensitive patient data by creating the standards for the electronic exchange, and privacy and security of patient medical information by those in the healthcare industry. As part of HIPAA, Administrative Simplification Rules were designed to protect patient confidentiality, while allowing for medically necessary information to be shared while respecting the patient's rights to privacy. Most healthcare providers, health organizations, and government health plans that use, store, maintain, or transmit patient healthcare information are required to comply with the privacy regulations of the HIPAA law.  

What Is the Purpose of the HIPAA Act and Privacy Rule?

The main purpose of HIPAA was to help individuals maintain health insurance coverage by: simplifying administrative procedures (Administrative Simplification Rules) and controlling administrative costs. With so much information changing hands between medical providers and health insurers and so many other parties in the healthcare services world, the HIPPA Act looked to simplify handling of documentation and sensitive patient information in the healthcare industry, while protecting the confidentiality of the patient's healthcare information.

Is HIPAA the Only Law That Protects Patient Confidentiality and Health Records?

No, HIPAA is a federal law, there are many other individual laws that work towards protecting your individual privacy and handling of data contained in your medical records. These laws and rules vary from state to state.

HIPAA is the baseline standard, and each state may add to it and have their own additional standards.

How Does HIPAA and the Privacy Rule Protect My Personal Data?

The HIPAA law is focused on simplifying the health care system and ensuring security for patients. Title IV is a safeguard ensuring the protection of privacy for your medical information. Along with federally ensuring your privacy, the HIPAA law is intended to lead to reduced fraudulent activity and improved data systems. When fully adhered to by all that are required to comply, 

4 Rules of HIPAA for Compliance by Health Care Providers

  • HIPAA Privacy Rule - Protecting the type of data that is communicated
  • HIPAA Security Rule - Protecting the databases and data for security
  • HIPAA Enforcement Rule - Indicates procedures for enforcement and procedures for hearings and penalties.
  • HIPAA Breach Notification Rule - Requires health care providers to notify individuals when there has been a breach of protected health information

Who Does the HIPAA Privacy Rule Apply To?

The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted standards under HIPAA (the “covered entities”).

Examples of People or Companies That HIPAA Does Not Apply To

  • direct to consumer (DTC) genetic testing companies
  • mobile apps used for health and fitness purposes
  • alternative medicine practitioners
  • state agencies, like child protective services
  • law enforcement agencies
  • life insurance companies
  • schools
  • your employer

What Is the Purpose of the HIPAA Security Rule?

The HIPAA Security rule addresses the requirements for compliance by health service providers. In order for a service provider to be HIPAA compliant, they must meet the conditions set forth by the HIPAA Security Rule. This includes the requirement and guidelines surrounding appropriate administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and security of protected health information (PHI).

What Does Protected Health Information (PHI) Mean?

Protected Health Information under the Privacy Rule includes any information that may be transmitted or kept by one of the entities covered under the HIPAA Law that includes individually identifiable health information.

What Is Individually Identifiable Health Information?

Individually identifiable health information includes any information that may identify the patient as an individual such as name, address, birth date, Social Security Number. It also includes in either the present, past or future any information related to the patient's physical or mental health, the provision of health care to the individual or information regarding payment for the provision of health care to the patient. 

What Is De-Identified Health Information?

There are no restrictions on de-identified health information, de-identified health information is information that can not be tied back to an individual as it has been stripped of all individualized information that could identify the individual and therefore has no identifying properties and provides no risk.

How Do I Make Sure My Health Care Provider Is Taking Steps to Comply With the HIPAA Regulations?

Some healthcare providers have taken steps such as controlling access to offices with medical files by electronic key card systems and only allowing employees limited access to the minimum amount of information needed. Also, the use of special services to make electronic transactions secure is also being used by many medical facilities and insurance providers. If you have concerns about what your health care provider or physician is doing to comply with the HIPAA law, ask them what steps they have taken to ensure your privacy.

If your health insurance is from a small, self-administered health organization, they may not have to comply with the HIPAA regulations. It is important to check with them to see if they are complying, and if not, what steps are they taking on their own to ensure your privacy.

Are There Any Privacy Exceptions to the HIPAA Law?

HIPAA's privacy exceptions give health care providers and others who are required to follow HIPAA an exception in some areas where they don't have to follow the rules outlined by the act and rules. You should inform yourself about the top three most common HIPAA privacy exceptions so you can be aware of what information or medical data about you may be legally disclosed and is not covered under HIPAA protection.