The Health Insurance Accountability and Portability Act (HIPAA) introduced multiple HIPAA rights. Some of the rights were introduced directly via the text of the Act, but the majority followed later in the Privacy Rule. Unfortunately, the failure to comply with Privacy Rule HIPAA rights is one of the leading reasons for complaints to the HHS Office for Civil Rights.
When HIPAA was enacted in 1996, references to individuals´ rights mostly focused on the original purpose of the Act – to enable employees to carry forward insurance coverage from one employer to another after a break, to prevent the denial of coverage – or additional premiums for coverage – on the grounds of a pre-existing condition, and to guarantee renewability in multiemployer plans.
The HIPAA rights most people are familiar with – the right to health information privacy and the right to access and correct health information – are mentioned in the text of HIPAA (Section 264), but only in the context of the recommendations the Secretary for Health & Human Services was tasked with preparing in the event Congress did not pass a privacy law within three years.
As Congress did not pass a privacy law, the Privacy Rule was introduced to establish patients´ rights under HIPAA. These can be found between 45 CFR § 164.508 and 45 CFR § 164.528 in the HIPAA Administration Simplification provisions. However, as the HIPAA Administrative Simplification provisions are complex, we have provided a synopsis of the most important HIPAA rights below.
Rights under the Privacy Rule
Information for which individuals have rights under the Privacy Rule is known as Protected Health Information or PHI. In addition to information relating to a patient´s past, present, or future physical or mental condition being protected – including the provision of treatment and healthcare services – past, present, or future payment information is also protected under the Privacy Rule.
45 CFR § 164.508 – Uses and disclosures of PHI for which an authorization is required
HIPAA Covered Entities and Business Associates are allowed to use or disclose PHI to carry out selected treatment, payment, or health care operations. All other uses and disclosures require the prior authorization of a patient. Patients have the right to request a copy of the authorization to keep, and the right to revoke the authorization at any time.
45 CFR § 164.520 – Notice of Privacy Practices for PHI
Patients have the right to receive a Notice of Privacy Practices. The Notice must explain what uses and disclosures of PHI are allowed, and when an authorization is required for other uses and disclosures. The Notice must also list the patient´s other rights, how to exercise them, and how to make a compliant if their privacy rights are violated.
45 CFR § 164.522 – Right to request privacy protection for PHI
Two of the HIPAA rights listed in the Notice of Privacy Practices are that patients can request restriction on certain uses and disclosures of PHI – for example not informing a health plan when a patient receives treatment and pays for the treatment privately – and that they can request how Covered Entities communicate with them when a communication involves a disclosure of PHI.
45 CFR § 164.524 – Access of individuals to PHI
The right in this standard should also be included in a Notice of Privacy practices inasmuch as it explains a patient´s right to inspect and receive a copy of their PHI within 30 days (currently under review). Patients can also stipulate how they want to receive a copy of their PHI – for example, by email, on a USB drive, or in paper format.
45 CFR § 164.526 – The right to amend PHI
Patients have the right to request corrections to their medical record if, on obtaining a copy of their PHI, it is found to be inaccurate or incomplete. There are several scenarios in which a Covered Entity can decline to comply with this request, including in these days of interoperability between Covered Entities, that the Covered Entity to whom the request is made did not create the PHI.
45 CFR § 164.528 – Accounting of disclosures of PHI
The right to access an accounting of disclosures – which explains who the patient´s PHI has been disclosed to and why over the past six years – is one of the most complicated HIPAA rights standards because there are so many exclusions allowed. It is also possible for this right to be suspended if a suspension is requested by a law enforcement officer or public health official.
Rights under the Breach Notification Rule
In addition to the rights granted by the Privacy Rule, individuals also have HIPAA rights under the Breach Notification Rule – a Rule which specifies the process for reporting breaches of unsecured PHI. The Rule was extended in the Final Omnibus Rule in 2013 to include Business Associate data breaches, and further changes are being considered in response to the Safe Harbor Act 2021.
At present, patients have the right to be notified of any breach of unsecured PHI when there is reason to believe the PHI has been accessed, acquired, used, or disclosed without authorization. The notification must explain how the breach happened, the nature of the PHI that was breached, what steps individuals should take to protect themselves from harm as a result of the breach.
In addition, Covered Entities must describe what they are doing to investigate the breach, to mitigate harm to individuals, and to protect against further breaches. Covered Entities must also provide contact details – which should include a toll-free number – where affected individuals can seek help or ask further questions. These procedures apply regardless of many patients are affected.
Noncompliance with HIPAA Rights
As mentioned in the introduction to this article, the failure to comply with Privacy Rule HIPAA rights is one of the leading reasons for complaints to the HHS Office for Civil Rights (OCR) and subsequent enforcement action. In recent years, complaints about patients´ rights of access have among the top five complaints investigated by OCR that have resulted in corrective action and/or a civil penalty.
In November 2021, OCR released the results of five investigations into non-compliance with HIPAA rights that resulted in corrective action and/or a civil penalty. It is important to note that the settlements of up to $160,000 involved smaller practices as well as larger organizations. Therefore, it is important that every Covered Entity is aware of – and complies with – patients´ HIPAA rights.
The post HIPAA Rights appeared first on HIPAA Journal.