The Health Information Portability and Accountability Act protects the privacy of patient information.
The Health Insurance Portability and Accountability Act, passed in 1996, is known for its Privacy and Security rules that protect the privacy of an individual's health-related information and regulate who has access to a patient's confidential medical information. Within the Department of Health and Human Services, HIPAA is overseen by the Office of Civil Rights, which handles investigation of complaints and enforcement of the law.
Protections
According to HHS, the HIPAA law acts as a safeguard of a patient's medical and health information in many forms. In addition to securing medical records, HIPAA also protects any conversations about a patient's health doctors might have with other health professionals such as nurses, information in the hands of an insurer or their computer system and billing records regarding any treatment received. The law requires that anyone with access to a patient's health information must put in place a system to ensure its protection along all links of the chain of responsibility.
Access
Covered entities are those organizations and institutions that must follow the HIPAA regulations regarding the privacy of health information These include health plans, such as Medicare, Medicaid, HMOs, health-insurance companies and company-based health plans; health-care providers such as doctors, dentists and pharmacists---essentially any business electronically billing a health-insurance plan; and health-care clearinghouses that transfer medical records from one format to another, such as a business that scans hard copies of patient records into digital form. There are, according to HHS, some organizations not required to follow HIPAA privacy regulations such as private employers, school districts, life insurers and law enforcement agencies.
Patient rights
Under HIPAA, a patient has the right to a copy of her medical records, to add corrections to her records, to receive reports on the potential sharing and use of records, and to give permission for the records to be shared.
Complaints
If a patient suspects a covered entity has violated her privacy or that of another person, complaints can be filed with the OCR. The department requires complaints to be in writing-either by mail, e-mail or fax; name the organization suspected of violation and describe the nature of the alleged violation; and be filed within 180 days of the alleged violation. The 180-day reporting period can be extended if the complainant can show "good cause" for the delay, according to HHS.
Enforcement
Once a complaint of HIPAA violation is filed, OCR begins an investigation by first notifying the complainant and the covered entity named in the complaint. OCR listens to both, gathers evidence and information and finds either for or against the complainant. If the covered entity is found to be in violation, OCR can take corrective action against the entity, which may result in civil penalties to be paid to the U.S. Treasury. If the OCR deems the entity's actions to be criminal, the case may be referred to the Department of Justice for further investigation.
Tags: covered entity, health information, medical records, access patient, alleged violation
