The HIPAA (Health Insurance Portability and Accountability Act) was enacted in 1996. In its inception, the Secretary of the Department of Health and Human Services (HHS) was required to make public the standards for exchanging electronic health information and the standards for security and privacy of this information. An additional requirement was for Congress to establish privacy regulations concerning individual identifiable health data withing 3 years after the establishment of HIPAA. After this failed to happen, HHS proposed a rule in 1999 and encouraged public feedback that gained over 50,000 comments. The Privacy Rule was the final regulation and was published in 2000. The HHS in 2002, publicly released the modifications from public comments and the final form was published in the same year on August 14^th under section 45 CFR (HSS, 2013).
The HHS established the Privacy Rule under the HIPAA. This rule concerns the disclosure and use of the health information of an individual by healthcare organizations and the policies concerning an individual’s rights to privacy and control over their health data. The main objective of this rule is to protect an individual’s health data while at the same time permitting the flow of said data in the provision and promotion of quality healthcare and protecting the publics’ well-being and health. The Privacy Rule in addition applies to Health Plans including group and individual plans providing or paying medical care costs. These include entities such as health, vision, dental, insurers such as Medicaid and Medicare, church and government sponsored health plans and care insurers. The rule also applies to healthcare providers who transmit health data electronically associated with various transactions such as benefit eligibility inquiries, insurance claims and referral requests. Health care providers include medical practitioners and healthcare institutions. Healthcare clearing houses are also under the Privacy Rule. These are institutions involved in processing non-standard information into standard information or vice versa. Such institutions include repricing companies, billing services and value-added networks performing clearing house activities. Finally, business associates are also covered by the Privacy Rule. The functions of business associates include acting or functioning on behalf of a covered institution in data analysis, billing, processing of claims, utilization review etc.
The information protected by the rule is described as health data that can be identified using individual data and that is conveyed or in the possession of a covered institution in any media form. Health data that is individually identifiable is defined as information that includes an individual’s details such as health condition, healthcare provision to the individual and payment information and includes identifiers such as birth date, name and social security number. However, there are instances where covered entities are permitted to divulge PHI (Protected Health Information) without authorization from the individual. This includes revealing PHI to the individual themselves, for payment, healthcare operations and treatment, opportunities to object or agree, incident to disclosure and permitted use, public benefit activities and in the interest of public health or research. The use of best judgement and professional ethics is required in doing so under the above circumstances.
HIPAA has notably altered the operations of healthcare providers and medical entities. It has impacted healthcare through the multifaceted legalities, financial and civil penalties and in implementation costs. Healthcare professionals must therefore be well versed in HIPAA and the potential consequences of failing to comply. HIPAA violation penalties may lead to institutions withholding information that may save lives at crucial moments. A study found that healthcare providers are at times not aware of their legal privacy duties and sometimes act in an overly guarded manner in disclosing information (Edemekong, 2021). The solution is therefore to train their staff especially on permitted instances to legally disclose PHI. HIPAA regulations have impacted on the ability of medical retrospective research making it a challenge to assess patients prospectively. For example, a 95% decrease in follow up surveys has been linked to HIPAA privacy rules. Cancer research studies has seen a 70% drop in patient recruitment while the legal lingo needed to carry out research studies has significantly increased due to the health information protection requirements leading to a lot of time wastage. Additionally, researcher claim that HIPPA laws negatively impact on the quality and cost of medical research.
However, compliance in HIPAA signifies that a healthcare institution has satisfactory measures to protect individual health data. This makes it easier to gain patient trust which is a priority for every business. HIPAA compliance also limits a healthcare institution’s probability for subjection to punitive action in the event of a breach. This considerably lowers the reputational loss and risk of business. Paying penalties due to on-compliance takes away resources that could be used to improve a healthcare organization’s quality of care. It is therefore necessary for healthcare facilities to invest in front end resources to ensure compliance. Finally, a healthcare entity needs to have the capacity to protect the large volumes of health data information it collects from its patients. Establishing proactive health data management strategies helps prevent breaches which enables the expansion and collection of more patient data with the assurance of a means to secure it. HIPPA compliance also enables a healthcare organization to adapt to emerging technologies without worrying about protecting patient data.

References

Edemekong, P., Annamaraju, P., & Haydel, M. (2021). Health Insurance Portability and Accountability Act. Ncbi.nlm.nih.gov. Retrieved 21 October 2021, from https://www.ncbi.nlm.nih.gov/books/NBK500019/.

HSS. (2013). Summary of the HIPAA Privacy Rule. HHS.gov. Retrieved 21 October 2021, from https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html?language=en.