The Health Insurance Portability and Accountability Act (HIPAA) was enacted in 1996 and sets the rules for individuals’ rights to privacy regarding their healthcare information. The act spells out exactly who is responsible for maintaining privacy: healthcare providers, health plans, and health clearinghouses. These groups are referred to as “covered entities.”
The law also sets forth what information is covered, how that information should be secured, and how security breaches should be handled.
Providers are professionals such as doctors, psychologists, dentists, chiropractors, and others, “but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.” With the rising importance of electronic healthcare record systems, it is more critical than ever for DCs to understand and abide by the rules set forth in HIPAA.
Privacy and Security
HIPPA addresses two main elements of individuals’ rights regarding their healthcare information: privacy and security. According to the department of Health and Human Services (HHS) which oversees the implementation of HIPAA:
“A major goal of the Privacy Rule is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality healthcare and to protect the public’s health and well being. The Rule strikes a balance that permits important uses of information, while protecting the privacy of people who seek care and healing. Given that the healthcare marketplace is diverse, the Rule is designed to be flexible and comprehensive to cover the variety of uses and disclosures that need to be addressed.”
Currently, many chiropractic practices and other healthcare providers are beginning to work toward meeting the stage 2 meaningful use (MUs) objectives of the EHR incentive program. The goal of stage 2 is, in large part, for providers to begin sharing patient information across multiple settings. Patients have better outcomes when their providers have access to their medical histories; however, there is a fine line to balance between properly sharing and protecting patient information.
Regarding the security portion of the law, HHS says:
“A major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Given that the health care marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ electronic protected health information.”
Because HIPAA existed before most EHR systems, the systems have been designed with builtin security features. Since it is the ultimately the provider’s responsibility to keep patient information private and protected, though, it is important to fully understand the security measures of the system being used.