Working in the medical field, we are often asked great questions about medical privacy.
HIPAA (commonly misspelled HIPPA) is the Health Insurance Portability and Accountability Act of 1996 that, among other things, sets a national standard for medical privacy. I say “among other things” because the stated purpose of HIPAA actually doesn’t even mention the word “privacy.” Here’s the Act’s stated purpose:
(WARNING: heavy legalese may cause crossed eyes)
"... to amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes." http://bit.ly/MHFGis
(I warned you…)
HIPAA required the U.S. Department of Health and Human Services (HHS) to adopt security standards and safeguards for health information. HIPAA set very broad guidelines and tasked HHS with filling in the details.
- The Privacy Rule protects all protected health information (PHI) transmitted in any medium (electronic, paper or oral) by a covered entity or its business associates.
- The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic PHI. The Security Rule does not apply to written or oral information.
The Privacy Rule and the Security Rule are the two Rules that the medical field refers to when we talk about a patient’s “right to privacy” under HIPAA.
Only three types of organizations are required to follow HIPAA. HIPAA calls them “covered entities.” The three covered entities are:
- Health plans, including insurers or other groups that provide or pay for the cost of medical care.
- Health care clearinghouses, including third-party companies that standardize health data, such as medical billing companies.
- Health care providers who transmit electronic health information for specific purposes, such as to bill insurance companies. With the growing adoption of electronic medical records, it is becoming increasingly unlikely that any physician’s office would fall outside this category.
So, your health insurance company and doctor’s office are required by HIPAA to protect your medical privacy, but your employer or school is not.
Where can you go to get more information about HIPAA?
If you’d like to learn more about HIPAA and your medical privacy rights, go straight to the source. HIPAA is governed by the federal Health and Human Services (HHS) department. HHS publishes a plethora of educational material at http://www.hhs.gov/ocr/privacy/.
Want to know the answers to the questions posed in the above photo? The answers may surprise you:
“Can my doctor call my name out loud in the waiting room?” See the answer.
“My specialist sent my medical records to my primary care physician without my permission. Is that allowed?” See the answer.
Are there any other health privacy laws?
Yes. In California, we have state law that provides additional medical privacy protections for patients. A San Diego nonprofit called Privacy Rights Clearinghouse recently published a series of consumer guides on California medical privacy laws.
At SKY Facial Plastic Surgery, we take our patients’ privacy very seriously. Our staff receives regular HIPAA training. If you have a question about HIPAA, post a comment! We may include it in a future blog post.