Healthcare is a massive industry regulated with specific laws for each aspect of the profession in today’s society. However, Moore and Sarah note that there were no federal laws concerning patient privacy in the healthcare setting before 1966 in the United States. As a result, Congress enacted the Health Insurance Portability and Accountability Act of 1996, commonly referred to as HIPAA (20). In its broadest meaning, HIPAA is a large set of rules and regulations that prevent access, use, or disclosure of patients’ health information without their knowledge or consent (Ghattas 52). HIPAA resulted from efforts by congressional healthcare reform advocates and the Clinton Administration to improve the healthcare industry (Moore and Sarah 21). In this regard, this essay explores the U.S. Department of Health and Human Services website to understand this Act. HIPAA is a federal law that ensures healthcare providers are rigorously controlled and comply with patients’ privacy.
HIPAA Patient Rights
HIPPA protects individual health information and guarantees patients legal, enforceable rights to receive medical and billing information. This legislation is broad in scope as it covers a whole host of health entities: health care providers and health plans. These entities are associated with businesses and are positioned to use or share patient medical and other health information illegally. Luckily, the U.S. Department of Health and Human Services notes that HIPPA ensures that patient medical records are adequately protected, whether oral, written, or electronic. Furthermore, it affords patients the right to access health information. Specifically, it gives a patient, with few exceptions, the right to receive and review medical and billing records from health care providers and health plans (U.S. Department of Health and Human Services). Most providers of health care include professionals who conduct business manually or electronically, such as health assessments completed by dentists, psychologists, and doctors. In contrast, health plans may consist of company health plans, health maintenance organizations (HMOs), and health insurance companies that electronically bill patient health insurance.
HIPPA determines who else can receive and inspect a copy of protected medical records held by the health care provider or health plan. Generally, HIPAA-covered entities must share information with patients’ personal representatives. For deceased persons, the personal representative is the individual who is lawfully allowed by state law or the court to act in place of the dead person or the administrator/executor of the deceased person’s estate. For children, the personal representative is the legal guardian/ parent who makes decisions about the child’s wellbeing (U.S. Department of Health and Human Services). However, a plan or provider may choose not to share information with a personal representative whom it reasonably believes might threaten the patient in circumstances of neglect, abuse, and violence. In addition, HIPPA does not allow a plan or a provider to disclose information to family and friends unless they are part of the treatment plan or the patient’s personal representatives.
HIPAA Complaint Process
What can patients do if they believe their rights are being denied? It is a surprisingly exhilarating and somewhat subjective question to answer. A patient can always file a formal accusation to the Office of Civil Rights (OCR) if they believe that an entity denied them the right to access information or violated another offense of the Breach, Security, and Privacy Notification Rules (U.S. Department of Health and Human Services). OCR is mandated to investigate complaints against healthcare providers, clearinghouses, and health plans (Gostin 3016). Patients are allowed to file a security or privacy complaint, and they must follow this process: The first step is to file the complaint in writing through the OCR complaint portal, e-mail, fax, or mail. The second step requires patients to describe denied rights and name the covered entity or business associates. However, OCR can only investigate covered entities subject to HIPPA rules, such as nursing homes, clinics, hospitals, doctors, and health plans. The last step requires patients to file the complaint within 180 days of knowing their rights were denied (U.S. Department of Health and Human Services). Patients must follow these steps to ensure the complaint application was a success.
HIPAA Breach Notification Requirements
Covered entities must notify patients when their health information is breached under the HIPAA Breach Notification Rule. A breach is, basically, an incident where personal data is used or shared without the authorization or knowledge of the owner (Moore and Sarah 270). The Rule stipulates that these entities must only afford a breach notification when a breach compromises the privacy or security of patient information. Those to be notified include affected persons, the Secretary, and, in some cases, media outlets. According to the U.S. Department of Health and Human Services, covered entities may not provide breach notification under these three exceptions. The first exception applies if the covered entity believes that the unofficial individual responsible for the breach would not hold the information. The second exception applies that the authorized individual shared information with another authorized person permitted to access such information. The final exception applies to the unintended use of medical records within the scope of authority or in good faith.
HIPAA Compliance and Enforcement
The Office of Civil Rights investigates security or privacy health information complaints. It cautiously reviews all information provided by the complainants regarding the violation of health information rights. However, it may only take action on complaints if: “(1) the complaint was filed within 180 days of the violation; (2) complainant rights were violated by a HIPAA-covered entity or a business associate; and (3) the incident described violated the HIPAA rules” (U.S. Department of Health and Human Services). The office then notifies the covered entity and the complainant once it accepts a complaint about the investigation. By law, the covered entities named in the complaint are required to cooperate throughout the investigation process. Next, OCR asks for evidence from both sides to conduct a thoughtful evaluation of what might have transpired during the incident in the complaint. OCR determines whether the covered entity was or not in violation of the HIPAA Rules. The complaint is dismissed if the gathered evidence indicates that the covered entity did not breach patient information. But if the evidence suggests otherwise, then OCR tries to resolve the complaint by calling for the best course of action.
Notably, no other agencies are involved in the investigation process because the Office for Civil Rights only enforces laws and regulations specified under the U.S. Department of Health and Human Services. They include “the Patient Safety Act and Rule, Privacy, Security, and Breach Notification Rules, HIPAA, conscience and religious freedom law, and federal civil rights laws” (U.S. Department of Health and Human Services). These laws protect one’s fundamental health information privacy rights, religious freedom, conscience, and nondiscrimination at covered entities. OCR does not involve other agencies in its investigations since it does not enforce laws and regulations that apply to employment, housing, and the criminal justice system (police agencies, courts, and correctional facilities). However, it can send the case to the Department of Justice if the complaint calls for further investigations that could have violated HIPAA’s criminal provisions.
The Office of Civil Rights is responsible for resolving privacy/security HIPAA violations. It issues a letter describing resolution agreements, such as voluntary compliance and corrective action (U.S. Department of Health and Human Services). Karne et al. define a resolution agreement as a contract between two parties to resolve a written agreement, either through a specified action, a settlement, or a determination. A covered entity or business associate agrees to comply with HIPAA rules for three years (52). The Department of Health and Human Services ensures that the entity/associate complies with the laid obligation throughout the entire period. These can be comprehensive, statewide agreements that may cover a single hospital, healthcare provider, or professional or call for a systematic change in the entire healthcare industry. For example, the U.S. Department of Health and Human Services reports that on March 28, 2022, OCR announced a resolution agreement that called for corrective actions involving four healthcare providers accountable for compliance. The OCR enforced the following collective actions and penalties.
Northcutt Dental-Fairhope, LLC, a dental services provider in Alabama, agreed to pay $62,500 to settle HIPAA Privacy Rule. It also agreed to take corrective actions for impermissibly disclosing its personal health information to a third-party marketing company and a campaign manager helping a state senate election campaign. Jacob and Associates, a mental health facility in California, agreed to pay OCR $28,000 to settle HIPAA Privacy Rule and take collective actions for failing to include the fundamental Right of Access provision. OCR imposed a $50,000 civil money penalty on Dr. U. Phillip Igbinadolor, D.M.D. & Associates, P.A. (UPI), a dental service provider in North Carolina for responding to a negative online review using a patient’s personal health information. Dr. Donald Brockley, a single dental service provider in Pennsylvania, agreed to pay $30,000 and take corrective for failing to provide a patient with a copy of their medical record (U.S. Department of Health and Human Services). These incidents provide examples of corrective actions that OCR can enforce on covered entities or business associations for violating HIPAA Privacy Rules. They also show that OCR can impose civil money penalties (CMPs) for noncompliance with HIPAA Privacy Rules.
HIPAA has changed how the medical field handles patients’ health information and discloses it to others that may or may not have it. This legislation ensures that patient medical records are well-protected, whether oral, written, or electronic. It also mandates that covered entities or business associates notify patients when there is a health information breach. Otherwise, a patient can file a legal accusation with OCR if they trust that the covered entity or its business associates have denied them their fundamental rights.
If a patient filed a complaint within six months of the violation, OCR investigates the complaint to determine whether the incident described violated the HIPAA rules. However, OCR does not conduct investigations if the unauthorized person responsible for the breach could not withhold information, an authorized person shared information with other authorized persons, and the use of information was within the scope of authority. The investigation process requires OCR to ask for evidence from the complainant and covered entity/business associate named in the complaint to determine if they did or did not breach protect health information. OCR issues a letter describing resolution agreements to force voluntary compliance, corrective action, or impose civil money penalties for noncompliance with HIPAA Privacy and Security Rules.
Ghattas, Tryphena. Exploring the Limitations of HIPAA in the 21st Century. California State University, Northridge, 2020.
Gostin, Lawrence O. “National Health Information Privacy: Regulations Under the Health Insurance Portability and Accountability Act.” Jama 285.23 (2001): 3015-3021.
Karne, Suresh, et al. “Basics About HIPAA for Physicians.” This Inaugural Issue of JAAPI is Dedicated to the Following Legendary Indian Physicians 1.1 (2021): 51-55.
Moore, Wilnellys, and Sarah Frye. “Review of HIPAA, Part 1: History, Protected Health Information, and Privacy and Security Rules.” Journal of nuclear medicine technology 47.4 (2019): 269-272.
Moore, Wilnellys, and Sarah Frye. “Review of HIPAA, part 2: Limitations, Rights, Violations, and Role for the Imaging Technologist.” Journal of nuclear medicine technology 48.1 (2020): 17-23.
U.S. Department of Health and Human Services. “Breach Notification Rule.” HHS.gov, 2013, Web.
U.S. Department of Health and Human Services. “Family Members and Friends.” HHS.gov, 2020, Web.
U.S. Department of Health and Human Services. “Filing a HIPAA Complaint.” HHS.gov, 2020, Web.
U.S. Department of Health and Human Services. “Four HIPAA Enforcement Actions Hold Healthcare Providers Accountable with Compliance.” HHS.gov, Web.
U.S. Department of Health and Human Services. “Health Information Privacy.” HHS.gov, Web.
U.S. Department of Health and Human Services. “HIPAA for Individuals.” HHS.gov, Web.
U.S. Department of Health and Human Services. “HIPAA What to Expect.” HHS.gov, Web.
U.S. Department of Health and Human Services. “Office for Civil Rights (OCR).” HHS.gov, Web.
U.S. Department of Health and Human Services. “Personal Representatives.” HHS.gov, Web.
U.S. Department of Health and Human Services. “Resolution Agreements.” HHS.gov, Web.