This is the third article in the ‘Benefits of HIPAA’ series, this time around exploring how the Health Insurance Portability and Accountability Act (HIPAA) and its subsequent amendments have benefited patients. The first article in the series explored how HIPAA has benefited healthcare organizations and the second covered the key benefits of HIPAA for healthcare professionals.
A World of Change for Patients
It has now been 27 years since HIPAA was signed into law by President Clinton. Memories of what the healthcare industry was like before that time may be starting to fade, but it should not be forgotten just how important HIPAA was at that time and has continued to be for more than a quarter of a century since. The initial Act introduced standards in healthcare to improve efficiency and make sure that healthcare providers, health plans, and healthcare clearinghouses followed standard practices and used the same code sets.
No system can function efficiently if the different components do not speak the same language, yet this was essentially how the healthcare system operated at the time. That system worked well when healthcare was provided on a one-to-one basis between a clinician and a patient, but as the healthcare ecosystem was becoming more complex, change was desperately needed to ensure healthcare information could be easily transferred to where it was needed, without requiring time-consuming and costly manual processes to convert the data into a usable form. In addition to helping clinicians have access to the data they need, HIPAA has also helped health plans process claims more efficiently and ensures funds are rapidly transferred to pay for healthcare services.
HIPAA made it easier for healthcare providers and health plans to share data electronically and that has helped patients by improving the continuity of care. Recent rules introduced by the HHS have helped to remove some of the barriers to information sharing and ensure that healthcare organizations and electronic health record providers do not engage in practices that could block or hamper the sharing of patient data. That is helping to prevent patients from incurring unnecessary costs, such as having to redo medical tests when they change healthcare providers.
HIPAA has helped to improve the accuracy of record keeping, making it easier to match medical records with the right patients, thus preventing medical errors. HIPAA has also played an important role in reducing healthcare fraud, which was forcing health insurance providers to massively increase their premiums to cover the losses.
One of the initial aims of HIPAA was to improve the portability of health insurance and help to prevent Americans from falling into a job lock situation, where they felt unable to change jobs due to the fear of losing health insurance coverage. While HIPAA has not solved the problem of job lock, it has certainly helped. HIPAA also helped to expand health insurance coverage and prevent discrimination, by ensuring individuals could not be denied health insurance due to pre-existing medical conditions.
Privacy and Security of Healthcare Data
HIPAA called for the Secretary of the Department of Health and Human Services to adopt standards to ensure patient privacy and data security, which were added a few years later in the Privacy and Security Rules. Before the HIPAA Privacy Rule was signed into law, patients did not have a federal right to healthcare data privacy and there were no federal restrictions on disclosures of that data or how healthcare data could be used. A patient’s healthcare information could be used for marketing purposes without restriction, and before the HIPAA Privacy Rule, healthcare providers were not required by law to provide a patient with a copy of their medical records.
The HIPAA Privacy Rule introduced standards for privacy, stipulating exactly when healthcare data could be disclosed and required patients to provide their authorization before their healthcare information could be used for most purposes other than the provision of healthcare, payment for healthcare, and other essential uses necessary for healthcare organizations to provide their services. HIPAA ensured that disclosures of healthcare data were limited to the minimum necessary amount, prohibiting a patient’s entire medical records from being disclosed when the entire record was not required. HIPAA has ensured that, in general, healthcare information cannot be provided to an employer, be used for marketing or advertising purposes, or be sold without written authorization from the individual.
These privacy protections and the need to keep healthcare data secure seem like basic rights today, yet before the HIPAA Privacy and Security Rules were signed into law, there wasn’t a legal requirement to ensure the privacy and security of healthcare data, and healthcare providers and health plans were not accountable for privacy violations and security failures.
HIPAA Gave Patients New Rights
In addition to benefitting patients in these ways, HIPAA gave patients several new rights over their healthcare data. One of the most important rights is the ability to inspect healthcare data. Healthcare providers accurately record patient information, but errors can be made. The Privacy Rule gave patients the right to check their medical records for errors and have those errors corrected. Before the Privacy Rule was introduced, those errors would likely have remained, threatening patient safety. Patients were also given the right to obtain a copy of their healthcare data, which allows them to take it to a new healthcare provider and disclose that information to whomever they wish, be that a friend, family member, or a medical research institution. Recent changes have also allowed patients to have their healthcare information sent to the health app of their choosing.
The HIPAA Privacy Rule ensured transparency of privacy practices, ensuring patients are enforced about how their healthcare data will be used – through Notices of Privacy Practices – and to whom the information has been disclosed – Accounting of Disclosures, a copy of which can be obtained on request. Patients were also given the right to request restrictions on disclosures of their healthcare information, putting them in control of who is provided with their sensitive healthcare information.
HIPAA does not have a private cause of action, which means a patient can’t sue for a HIPAA violation; however, patients do have the right to file a complaint about a HIPAA violation with a healthcare provider or health plan and can submit a complaint to the HHS’ Office for Civil Rights, which will investigate and take action. Further, when there is an unauthorized disclosure of healthcare information, or when that information has been exposed, patients need to be notified, which allows them to take action to protect against identity theft and fraud.
How the Pending HIPAA Privacy Rule Update Will Benefit Patients
It has been two decades since the HIPAA Privacy Rule was signed into law and a lot has changed in that time. Certain aspects of the Privacy Rule have proven to be cumbersome for HIPAA-covered entities, and there are several areas where improvements are required for patients. Fortunately, some important updates are about to be made that will deliver even more benefits for patients and will improve access to medical records.
Obtaining a copy of medical records is a fundamental right of HIPAA, but the timescale for providing those records is hardly appropriate in the digital age. The latest update will see the time shortened for providing a copy of a patient’s records from 30 days to 15 days, and if an extension is permitted, that time frame has similarly been reduced to 15 days. That means a maximum of 30 days to obtain a copy of the requested records. To further improve access, patients will also be allowed to take notes and photographs of their records, should they so wish. The burden of identity verification when requesting access to records has also been reduced and it has been made easier for patients to direct their healthcare providers to transfer their records to another healthcare provider.
Patients can be charged for copies of their medical records, and while there are restrictions on what can be charged, the update will help to prevent patients from incurring unnecessary or unexpected costs. There has been clarification on when copies of electronic medical records must be provided free of charge, and healthcare providers are required to publish how much patients will typically be charged if they want paper copies of their records.
Another important change will help to improve patient safety, as the ability of healthcare providers to disclose patient information to avert a threat to health or safety has been expanded. They will be able to disclose patient information when harm is “serious and reasonably foreseeable,” instead of a “serious and imminent” threat to health or safety. The changes will also facilitate the sharing of patient information to improve care coordination and case management for individuals, which is intended to improve family and caregiver involvement in the care individuals need when experiencing emergencies or health crises.
Moving Forward – Where HIPAA Needs to Change
The updates to the Privacy Rule will certainly benefit patients, but there is one area where HIPAA lets patients down. HIPAA only applies to healthcare data when it is collected, maintained, stored, or transmitted by a HIPAA-regulated entity. The same healthcare data could be collected, maintained, stored, or transmitted by another entity, and would not be protected by HIPAA. For instance, healthcare information could be stored in a health app, and that information would fall outside the protections of HIPAA. What is now needed is an expansion of HIPAA to cover all healthcare data or new HIPAA-like regulations to be introduced to cover healthcare data when the information is collected by an entity not covered by HIPAA.
One common criticism of HIPAA is the lack of a private cause of action, which prevents patients from suing for HIPAA violations. While this is unlikely to change, there is some good news for patients. The HHS’ Office for Civil Rights will soon be distributing a percentage of the funds raised from its enforcement actions to victims of HIPAA violations, as soon as a suitable methodology for doing so is developed. OCR recently sought information from industry stakeholders and the public on how best to implement this requirement and ensure the funds are fairly distributed.
Steve Alder, Editor-in-Chief, HIPAA Journal
The post Editoirial: Benefits of HIPAA for Patients appeared first on HIPAA Journal.