What is the Purpose of HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is an important legislative Act affecting the US healthcare industry. When it was first introduced in 1996, HIPAA’s primary function was to address the issue of healthcare coverage for individuals between jobs. Without HIPAA legislation, individuals in this situation could find themselves without healthcare coverage, and therefore potentially unable to access important medical treatment.
However, nowadays HIPAA is synonymous with data protection legislation. The Act enforces strict requirements regarding the safeguarding of protected healthcare information, or PHI. Due to the sensitive nature of the data held by these organisations, one of HIPAA’s major purposes is to prevent healthcare fraud. In order to be HIPAA compliant-and not face hefty financial penalties-healthcare organisations are required to implement controls to secure patient data.
HIPAA is a comprehensive legislative act incorporating the requirements of several other legislative acts, including the Public Health Service Act, Employee Retirement Income Security Act, and more recently, the Health Information Technology for Economic and Clinical Health (HITECH) Act.
The Privacy Rule of 2000
The purpose of the HIPAA Privacy Rule was to introduce restrictions on the allowable uses and disclosures of protected health information. The Rule stipulates when, with whom, and under what circumstances health information could be shared. Only authorised individuals may access PHI; access by an unauthorised individual, whether by accident or through a deliberate hacking attempt, may incur financial penalties if the organisation did not have adequate safeguards in place. The patient also has the ability to authorise who can see their medical information.
The HIPAA Privacy Rule also gives patients access to their health data on request. An individual’s data must be delivered to them in a secure manner within 30 days of the request being submitted.
The Security Rule of 2003
The purpose of the HIPAA Security Rule is mainly to ensure electronic health data is protected by the requisite administrative, technical, and physical safeguards. Covered entities must ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit. An auditable trail of PHI activity must be maintained, with access to any PHI carefully recorded and controlled. Furthermore, covered entities must ensure that they protect against “reasonably anticipated threats” to the security of PHI.
The Breach Notification Rule of 2009
The purpose of the Breach Notification Rule of 2009 covers the requirement of HIPAA CEs to provide notification following a breach of PHI. A breach may be defined as an unauthorised individual compromising the security of PHI. Following a breach, the Breach Notification Rule states that covered entities must provide notification of the breach to affected individuals, the Secretary, and, if the breach is of a significant scale, to the media. The Rule also covers business associates, who must notify covered entities if a breach occurs at or by the business associate. The Breach Notification Rule requires those affected by the breach to be notified that their PHI has been compromised without “reasonable delay”, and no later than 60 days after the breach has occurred.
Other Purposes of HIPAA
In addition to protecting healthcare information, HIPAA finds purpose in introducing several new standards with the intent to improve efficiency in the healthcare industry. HIPAA legislation requires compliant healthcare organisations to adopt new standards and practices to reduce bureaucracy in the healthcare system. To assist with efficient data transfer between healthcare organisations, code sets had to be used along with patient identifiers, which helped pave the way for the efficient transfer of healthcare data between healthcare organisations and insurers. This streamlined process allows for efficient eligibility checks, billing, payments, and other healthcare operations, thus improving a patient’s experience in the healthcare system.
HIPAA also prohibits the tax-deduction of interest on life insurance loans, enforces group health insurance requirements, and standardises the amount that may be saved in a pretax medical savings account.
In summary, HIPAA has a wide range of purposes. It seeks to improve efficiency in the healthcare industry, to improve the portability of health insurance, to protect the privacy of patients and health plan members, and to ensure health information is kept secure and patients are notified of breaches of their health data.