In the early 1990s, it became apparent that computerizing medical records would improve efficiency within the healthcare industry. This brought to the fore various related issues such as forming new standards for portability of the medical data, managing the data, ensuring that people could continue their healthcare coverage when they changed their jobs and protecting the privacy rights of patient’s medical data. With all the news of data breaches, more patients are becoming concerned about the security of their private health information. In this blog, we explore the role that HIPAA and PHI have on patient access barriers, and what physicians need to know regarding HIPAA and electronic PHI.
HIPAA and the Privacy Rule
In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA), also called the Kennedy-Kassebaum Bill into law. The first aspect of HIPAA to be finalized was the Privacy Rule followed by the Transaction and Code Sets Final Rule, the Security Rule, and the National Provider Identifier, or Unique Identifiers rule and finally the Enforcement Rule specification in 2006.
What does the HIPAA Privacy Rule do? It created national standards that protect medical records of individual patients and their personal health information (PHI). The Privacy Rule:
- Sets limits on the use and release of health records
- Establishes safeguards that healthcare providers and others associated with the medical care must achieve to protect PHI
- Holds violators accountable with civil and criminal penalties for violating patient’s rights to privacy
- Ensures that disclosure of some forms of medical data is made possible to protect public health.
The Privacy Rule protects all “individually identifiable health information” held or transmitted by a healthcare provider or their business associate, irrespective of whether it is in the form of media, electronic data, hard copy, or oral information. The Privacy Rule defines this information as protected health information (PHI). For example, genetic information that is individually identifiable and maintained by a healthcare provider, health plan, or insurance company is protected by the Privacy Rule like other similar health information.
Patient Rights Under HIPAA
Patient’s rights under HIPAA include their ability to make an informed choice when seeking medical care based on how their PHI may be used. HIPAA limits the release of patient’s medical information to a minimum needed for disclosure and enables patients to examine and obtain a copy of their own health records and also request for corrections in their medical records. Healthcare providers are obligated under HIPAA to release medical records to the patient when requested and correct the records as per the patient’s request. The law also empowers patients to control the use and disclosure of their PHI.
Another patient right under HIPAA is to file a complaint if they suspect a violation of their medical record privacy. Patients have a right to access PHI within a “designated record set.” This includes medical records and billing information maintained by or for a covered healthcare provider; or enrollment, payment and claims adjudication maintained by or for a health plan or other records that are used in part or in full by a covered entity to make decisions about an individual’s health.
However, patients do not have a right to access PHI that is not a part of a “designated record set” as this information is not used by the healthcare providers to make decisions about the patient’s medical care. Two other categories of information that are not included in the right of access are psychotherapy notes and information compiled as part of or for use in a civil, criminal or administrative action or proceeding. The other type of PHI access mandated by HIPAA is their representatives asking to see PHI.
PHI in medical records, according to the US Department of Health and Human Services, includes individually identifiable information such as name, address (including street address, city, county, zip code), elements of dates (including birth date, admission date, discharge date, date of demise and exact age if patient is over the age of 89), telephone numbers, FAX numbers, email address, and social security number. PHI also includes medical record number, health plan beneficiary number, driver’s license number, vehicle license plate number, device serial numbers, web URLs, IP address, biometrics like fingerprints or voice prints, photographic images, and any other unique identifying numbers.
ePHI Maintenance and Portability
The HIPAA Privacy Rule governs the maintenance of PHI within electronic medical records (EMR), their portability, and sharing. Typically, hospitals and practices use data encryption protect patient’s medical records stored within the EMR. Healthcare computer systems and networks are required to install other data security systems, including firewalls, to ensure that there is no unauthorized access to EMRs. In addition, electronic auditing systems identify users themselves and create specific log records that are accessed by them. HIPAA data security audits of healthcare provider systems on a regular basis are essential to prevent a HIPAA breach, ensure compliance, and mitigate penalties for unforeseen problems.
Data Breaches and Security Training
Compliance breaches are frequently the unintentional results of healthcare workers who are not sufficiently trained or lack awareness of the proper policies and procedures for the use and disclosure of health information. As a practice owner or hospital leader, it is critically important to create a culture of compliance within your organization. All staff members should undergo formal training and annual refresher courses to ensure your organization’s compliance with both federal and state laws. You can test the effectiveness of this training through exercises and desk audits.
Data breaches are most likely to affect healthcare security systems according to a Verizon 2018 Study. EMRs and the healthcare industry have the immense responsibility of guarding medical records and PHI of millions of patients. Increasing use of mobile devices for transmission of sensitive healthcare information requires stronger mobile data security. As data breaches have become nearly daily notices in the 24-hour news cycle, more patients are becoming aware of ePHI and concerned about the security of their information. Besides excessive fees for data sharing, security concerns, unless addressed urgently, may prevent effective patient access and sharing of PHI.