The Health Insurance Portability and Accountability Act of 1996 is responsible for taking legal measures to protect the privacy and coverage of individuals receiving health care benefits. It has several sections that are crucial for every US citizen receiving or who will receive health care to be informed, and you will see HIPAA recurring throughout health insurance forms and medical paperwork.

HIPAA is mainly an advocate for the privacy of the insured. It also deals with providing more options to individuals who have a group or some individual health plan. Title I of HIPAA makes it possible for those on a  group health plan to receive benefits sooner for pre-existing conditions. Upon signing up for a group health plan, group insurance may deny you coverage on the services you need, but Title I helps reduce the waiting period to get access to care.

Unfortunately, not all health insurance accepts Title I, mostly long-term plans and stand-alone plans such as vision and dental. If vision and dental are included in your overall plan,  then Title I of HIPAA is still valid.

Mostly, where you will see HIPAA working for you is in forms used for health insurance, medical treatment, and other instances where your health information is given, and needs to be kept confidential.

HIPAA and Your Privacy

The Privacy Rule limits access to your personal information given to health insurance companies, medical coverage under your employer, and doctors and other service providers, referred to as covered entities. Your Protected Health Information (PHI) is any health-related information given to covered entities regarding payment, your health standing, type of care received, and virtually any other part of your medical record.

Covered entities are encouraged to share the minimum amount of PHI possible when they need to do so. There are cases where a covered entity will share your PHI without your written permission, such as contacting medical care providers, or regarding payment for a health service. Otherwise, you must provide a signature to allow the covered entity to disclose your PHI. The covered entity is always required to inform you when it has shared your information.

Since September 23, 2009, the Breach Notification Rule holds all health care providers responsible by law to notify you of unauthorized information disclosure. A breach of security differs from when they give your PHI for the reasons listed above. It is defined as the disclosure and use of patient information not available for use under HIPAA laws, and places the patient’s security at risk.

According to the Privacy Rule, you can make an appeal for a covered entity to change any incorrect PHI.


HIPAA and Health Care Transactions

HIPAA was designed in part to make the process of getting medical care more simple. This is done by standardization of medical care transactions. As of January 2012, revisions to the law were made, now requiring that standardized electronic versions of HIPAA be used by medical providers for security and simplification purposes.

The Transaction and Code Set Rule provides a list of medical transactions in electronic form. The health care providers who choose to use them are required to abide by HIPAA standards, but providers are not required by HIPAA use the electronic forms for all transactions. The following are transactions available in electronic form from HIPAA:

  • Health insurance plan eligibility
  • Health claims or similar encounter information
  • Health claim status
  • Payment of premiums
  • Health care payment and advice
  • Certification and authorization of referrals
  • Health insurance enrollment and maintenance
  • Retail pharmacy claims



HIPAA and Your Security

The Security Rule is much like the Privacy Rule, but targets strictly electronically-filed personal information. Your Electronic Protected Health Information (EPHI) is protected by this rule, pertaining to covered entities and small plans. Three safeguards for security have been put in place, and each has specific methods laid out to successfully adhere to these standards.

  • Administrative Safeguards: policies that indicate how covered entities will put the security rule in motion.
  • Technical Safeguards: control of access to electronic information through computer systems and allowing covered entities protection of EPHI from interception by an unwanted party.
  • Physical Safeguards: physical access is controlled to prevent unintended access of confidential information.

The Health Information Technology for Economic and Clinical Health Act (HITECH) is a part of the HIPAA law, holding those who use HIPAA electronic forms accountable for security breaches related to electronically submitted information. Under this act, if 500 or more patients’ data is breached, covered entities must not only alert the patients whose information was shared illicitly, but must report it to HHS and the media.


More on HIPAA