HIPAA law is meant to protect information that could be used to identify a medical patient.6 min read
Updated November 26, 2020:
HIPAA law is meant to protect information that could be used to identify a medical patient. This law also includes language that is meant to protect patients seeking healthcare from discrimination.
Learn about HIPAA Law
You may not be aware that the Health Insurance Portability and Accountability Act (HIPAA) is actually a 1996 amendment to the Employee Retirement Income Security Act (ERISA).
HIPAA was added as an amendment to help protect more workers and their loved ones by limiting new employers from excluding coverage for preexisting conditions. Additionally, it prohibits discrimination against employees and their family members based on any preexisting conditions and providing new rights to individuals who lose their coverage.
HIPAA also protects patients' paper and electronically stored medical information through the Privacy Rule, while the Security Rule regulates the confidentiality of electronically stored medical information only. Both of these provisions were implemented by the U.S. Department of Health and Human Services.
HIPAA's Effect on Preexisting Conditions
Before HIPAA, many employers' group health plans denied new employees coverage of preexisting conditions that existed at the time of enrollment. Now under HIPAA law, the cutoff date has been mandated to 6 months. This means that if the employee received any medical advice, diagnosis, treatment, or care pertaining to the condition during the 6 months before enrollment, the preexisting condition exclusion can only be applied then.
If the employee did receive any medical advice, diagnosis, treatment, or care regarding his or her condition in the previous 6 months, the plan may still impose a preexisting condition exclusion. If your preexisting condition is excluded from the plan, the good news is that for most people, this exclusion period cannot exceed 12 months. Some people may be able to reduce this 12 month exclusion period by receiving “creditable coverage” for the time they held health coverage before their new job.
Protection Against Discrimination
HIPAA law prohibits individuals from being excluded from coverage or denied benefits based on health-status related factors. Therefore, a health plan cannot deny an employee medical coverage based on a disability, his or her medical history, or genetic information.
New Special Enrollment Rights
Individuals who held coverage previously now have an opportunity to enroll outside of the enrollment period if they lost coverage based on certain situations.
Some of these situations include:
- Reduction in work hours
- Spouse's death
- Spouse's employment ending
- Separation or divorce
Remember, although HIPAA provides a wide array of new rights, it does not require that employers provide health coverage. HIPAA law is only a set of guidelines for employers who do choose to provide health coverage.
Medical Information Protected by HIPAA Law
One of the main purposes of HIPAA law is to secure “individually identifiable health information.” Essentially, this is any information that someone could use to identify a specific patient. Some of the information that falls into this category includes:
- The mental and physical condition of the patient, whether past or present.
- Healthcare treatment or services received by the patient.
- How the patient has paid or will pay for their healthcare treatment or services.
HIPPA law also protects payment information. This means identifying information such as credit card numbers and even a patient's handwriting are afforded legal protections under HIPAA. Entities subject to HIPAA should note the law protects data stored in forms other than in writing. For example, video and pictures which include information that could be used to identify a patient are also covered by HIPPA.
Imagine, for example, you are a healthcare provider and you have photographed a patient's rash for documentation purposes. If this photo includes identifying information about the patient, such as an image of the patient's face, the picture would be protected by HIPPA privacy laws. This means the photo may only be displayed under very strict circumstances.
Protected Health Information and HIPAA
When it comes to Protected Health Information (PHI), HIPAA law applies to both covered entities and third-party providers that conduct business with these covered entities. In most cases, access to PHI should be reserved only for these entities. The only exception to this rule is if the patient has given their permission for their PHI to be used for specific purposes, including:
- Medical research
HIPPA law gives patients certain rights related to their health records. For example, this law gives you the right to acquire copies of your medical records, make any necessary changes to your medical records, and restrict who can view your medical records. HIPAA also places restrictions on who can examine or receive your PHI, whether it is transmitted in writing, orally, or electronically.
Protected PHI includes any information that is added to your medical records by a health care provider, including nurses and doctors. This also covers billing and health insurance information, as well as conversations between healthcare providers related to your treatment. If your doctor is discussing your treatment with a nurse, for instance, this conversation would be covered by HIPAA law.
If an entity needs to disclose any PHI, the disclosure must occur entirely within the entity. No PHI can be disclosed outside of a covered entity unless one of three requirements are met:
- Disclosure is legally required.
- Disclosure is in the public's best interest.
- Disclosure is in the patient's best interest.
For example, if a patient has been the victim of abuse, or if the patient poses a threat to the public, disclosure of PHI may occur without violating HIPAA law. In these cases, the entity making the disclosure must abide by something known as Minimum Necessary Rule. Basically, the Minimum Necessary Rule states that the entity should only disclose whatever information is needed to achieve a specific goal. In the above example where the patient is abused, the only information that will protect them from this abuse should be disclosed.
Entities should also be sure to individually review every disclosure request submitted. Just because an associate has disclosed PHI in a previous circumstance does not mean additional disclosures should be granted in the future. Reviewing disclosure requests on an individual basis will help covered entities avoid a HIPAA violation.
Consequences for Unauthorized PHI Disclosures
It is the responsibility of every entity covered by HIPAA law to institute protections that will prevent unauthorized PHI disclosures. Safeguards chosen by a covered entity will be determined by several factors, including the entity's size and the type of treatment provided by the entity. These safeguards must be effective because the penalties for a HIPAA violation can be quite severe.
Healthcare entities that fail to follow HIPAA privacy laws, whether intentionally or by accident, can be fined $50,000 per day until they are in compliance with these rules. HIPAA violations can also come in several different forms. When a data breach causes a violation, large numbers of patients can be affected. This means the healthcare organization will be heavily penalized.
If an individual unknowingly violates HIPAA, they can be charged between $100 and $50,000 for every violation. HIPAA violations made for a reasonable cause and not willful neglect can result in fines ranging from $1,000 to $50,000. Fines of between $10,000 and $50,000 can be charged for HIPAA violations that are the result of willful neglect, but were corrected promptly. Violations caused by willful neglect that are not corrected will result in a $50,000 fine. Committing the same type of violation a second time in the same calendar year will result in an additional fine of $1.5 million.
The maximum possible penalty will not be charged for every violation. Instead, penalties will be determined on a case-by-case basis. When determining the proper fine amount several factors will be taken into consideration. These factors include the extent of the violation, the nature of the violation, and the level of harm caused by the violation.
How Unauthorized Disclosures Occur
Several issues can result in a HIPAA violation. Learning about a few of these issues will help you avoid a HIPAA violation. Unencrypted data is one of the most common causes of an unauthorized disclosure. Encrypting data and increasing the frequency of data monitoring should help to prevent these disclosures.
Employee error can also easily cause an unauthorized disclosure. For example, if an employee improperly stores PHI, or transmits this information to a third-party that later reveals the data, a HIPAA violation has occurred. Proper training is the simplest way to prevent HIPAA violations due to employee error. Every healthcare entity should make sure its employees understand HIPAA compliance, including when and how disclosure can occur.
If you need help with HIPAA law, you can post your legal need on UpCounsel's marketplace. UpCounsel accepts only the top 5 percent of lawyers to its site. Lawyers on UpCounsel come from law schools such as Harvard Law and Yale Law and average 14 years of legal experience, including work with or on behalf of companies like Google, Menlo Ventures, and Airbnb.