The meaning of “HIPAA law,” or the Health Insurance Portability and Accountability Act, refers to privacy concerning a person’s medical records. For example, HIPAA Law defines standards for the whole of the U.S. to follow regarding the protection of Americans’ medical records and other information relating to their personal health. To obtain medical records for someone, the patient must sign a HIPAA release form, allowing that individual to view those records. To explore this concept, consider the following HIPAA law definition.
Definition of HIPAA Law
- A nationwide law established to protect the medical information of American citizens.
What is HIPAA Law?
The Health Insurance Portability and Accountability Act, or, more simply, HIPAA, is a law that works to protect the medical information of U.S. citizens. The HIPAA Law gives patients more control over who gets to view their medical information by setting boundaries on both the release and the usage of that information. For example, HIPAA Law holds violators of the law accountable by imposing upon them civil and criminal penalties of varying severity.
Four Purposes of HIPAA
There are four purposes of HIPAA that perfectly sum up the law. These four purposes of HIPAA are:
- Securing the privacy of a patient’s medical information
- Securing electronic records of a patient’s medical information
- Simplifying administrative tasks
- Providing health insurance portability
In other words, not only does addressing the four purposes of HIPAA protect the patient, but it also serves to ease the burdens associated with administrative paperwork and the transference of health insurance. Under HIPAA, these processes are more streamlined and allow for safer, more efficient methods of transferring a patient’s information between providers.
HIPAA Law’s Privacy Rule details the process by which healthcare providers throughout the U.S. can and should handle and protect a patient’s private medical information. For instance, the Privacy Rule sets limits, and places conditions on how an individual can use and disclose sensitive information without having the patient’s prior authorization.
The Privacy Rule also serves to give patients rights over their own medical information, including the right to obtain and review a copy of their health records. Patients can also request providers to make corrections to their records, if necessary.
HIPPA’s Security Rule ensures that a patient’s electronic medical information is safe from unauthorized access. The Security Rule does this by using provisions that do not refer to specific technologies or procedures. Rather, the Security Rule does this so that no matter what changes occur as technology advances.
It continues to keep a patient’s information safe from unsecured access, while ensuring that no one needs to update the rule just because technology has upgraded. Every organization is responsible for determining what their security needs are, and how they will accomplish their security-related goals. The Security Rule leaves it up to them, so long as they adhere to the rule.
Who is Bound By HIPAA?
As per the Privacy Rule, health plans, healthcare clearinghouses, and healthcare providers are all bound by HIPAA. These entities all fall under the umbrella of “covered entities,” and they are bound by HIPAA to the privacy standards it establishes, even if they employ contractors to help them.
However, there are certain departments, such as social security and welfare benefits, that the Department of Health and Human Services does not regulate. This is because HIPAA does not bind them to do so.
When it comes to HIPAA violations, they are numerous, considering that every business can violate this law in a different way. Perhaps the most common HIPAA violations are data breaches, which subject the violator to potentially hefty fines. Some of the ways in which HIPAA violations resulting in data breaches can happen include:
- Theft of the device containing the information (laptop, smartphone, etc.)
- Hacking, or a malware or ransomware attack
- Sending sensitive information to someone, or discussing sensitive information, outside of the office, including social media posts
Typically, HIPAA Law examples of violations fall into the categories of use and disclosure, improper security safeguards in place (or none at all), or access controls, to name a few.
Examples of HIPAA Law Security Measures
To protect a patient’s information, HIPAA Law examples of security measures must be in place. This applies for any business dealing with a patient’s sensitive medical information, from doctors and hospitals, to insurance companies, lawyers, and beyond. Consider the following HIPAA Law examples of protections that a business can take to protect itself from potential fines and other punishments resulting from HIPAA violations:
- Administrative – Administrative protections are the policies and procedures a business creates for itself to protect its information from a potential breach.
- Physical – Physical protections include everything from security cameras, and door and window locks, to where the business decides to place its computers, laptops, and screens that display sensitive information.
- Technical – Technical protections include the software the company uses to protect its information. This is different for every business, as it is up to the business to decide which software it likes best.
HIPAA Law Example Involving a Kentucky Nurse
An example of a HIPAA law violation that resulted in heated litigation occurred in Kentucky in May of 2013 in the matter of Hereford (Dianna) vs. Norton Healthcare Inc., et al. Here, Dianna Hereford, a nurse, allegedly committed a HIPAA violation while on the job.
At the time, Hereford was assisting an echocardiogram technician with a patient who had Hepatitis C. While the patient was waiting in an examination area behind a privacy curtain, Hereford reportedly advised her colleagues to wear gloves so as not to catch the disease. The patient then sued the hospital, stating that Hereford had improperly disclosed the patient’s sensitive medical information by proclaiming it loudly enough for other patients and medical staff to hear.
The hospital promptly sued Hereford, and Hereford filed suit in retaliation. She argued that her termination violated public policy because the hospital fired her despite her “strict adherence” to HIPAA law regulations. She admitted that she, at most, engaged in “incidental disclosure,” which was not a violation of HIPAA law. She also claimed that the hospital and some of its staff had defamed Hereford by telling others that she had violated HIPAA law.
The trial court found that Hereford did, in fact, unnecessarily disclose the patient’s Hepatitis C status because no physician or other healthcare worker would need the reminder that a patient has an infectious disease to wear gloves around that patient. The court also dismissed the defamation claims Hereford filed.
When the case reached the Kentucky Court of Appeals, the court affirmed the trial court’s decision to dismiss Hereford’s claim of wrongful termination. The Court reasoned that Hereford could not “rely on HIPAA” as her foundation for a wrongful termination case since HIPAA Law exists to protect patients – not hospital employees. The Court ruled that the hospital did, in fact, act lawfully when it fired Hereford for committing a HIPAA violation.
Said the Court:
“In examining this question, the circuit court noted that it was not bound by the unemployment insurance referee’s finding that Hereford did not violate HIPAA. Rather, the court examined the entirety of the record to conclude that Vissman’s alleged defamatory statements were true. This finding was grounded on the court’s recognition that a medical provider must use the minimum amount of protected health information to accomplish the necessary purpose.
The court concluded that, ‘Under HIPAA, Hereford’s statement was not the minimum amount necessary to accomplish the warning. As a matter of law, the Defendants could not have defamed Hereford by speaking the truth that she was terminated for a HIPAA violation.’
Because the dismissal of Hereford’s defamation claim was accomplished via Summary Judgment, the standard of review is whether the trial court correctly found that there were no genuine issues as to any material fact and that the moving party was entitled to judgment as a matter of law.” The record reasonably supports the circuit court’s determination that Hereford’s employment was terminated based on a HIPAA violation. It also supports the court’s conclusion that Norton and Vissman could not have defamed Hereford for publishing the truth that Hereford’s employment was terminated for a HIPAA violation.
Additionally, Hereford’s contention that she was forced to self-publish defamatory information to potential employers is not supported by the record, as it is true that she was fired for a HIPAA violation. There are no genuine issues of material fact, and as truth is an absolute defense to a defamation claim, Stringer, supra, Norton and Vissman were entitled to a judgment as a matter of law. The defamation claim was properly dismissed and we find no error.” [Citations omitted.]