What is HIPAA and why does it exist?
In Association with
In the 1990’s, there began an electronic charting revolution in healthcare with the move away from traditional paper based to electronic charts. Along with the benefit of patients and nurses now not having to struggle to decipher the proverbial chicken scratch of a doctor’s handwriting, new concerns were created in the realm of access to patient records, which went from safely locked away in a file cabinet to now having an online presence.
Given this tectonic shift in the availability of patient records, all sorts of issues were opened up about the privacy of electronic health records. An electronic health record (also known as an EHR) also opened up further innovations in healthcare, and ultimately safer care, such as computerized physician order entry (CPOE) which can check orders in real time, and alert providers to potential allergies and interactions between medications. As healthcare evolved inevitably beyond paper charting and orders, the laws were going to need to progress as well to preserve the security of this online patient data.
The Age of HIPAA
In August of 1996, after congressed passed the bill, President Bill Clinton signed Public Law 104-191, the Health Insurance Portability and Accountability Act into law. With such a long name, and perhaps as it is less known for portability, it became popularly known by its abbreviation- HIPAA. This federal act supplanted any existing state laws unless they were already more restrictive.
The goal of this landmark legislation was, as the name of the bill suggests, a twofold mission. The first was to provide for portability of health insurance coverage. This allowed for workers who are part of a group health insurance plan to leave one job, and transition to another one, to be able to have continuous healthcare coverage for themselves, along with their family during that journey. Lesser known are the protections provided to specifically protect against discrimination for the employee along with their dependents for their health status, such as for any preexisting conditions, such as charging a higher premium. While implementing this, they also made sure to preserve the state’s right to be able to continue to regulate health insurance, and to provide for even a higher level of protection than what is available under federal law.
The second part of HIPAA deals with the protection and security of patient information, with an emphasis on patient data online. The patient information is protected health information (PHI), which is also referred to as electronic protected health information, or ePHI. This encompasses any identifying information about a patient, and can include demographic data such as a name, date of birth, home address, a medical diagnosis and a social security number. In fact, healthcare organizations could no longer request a social security number for their data collection.
Giving this meaning
The overall goal of moving to an EHR, that HIPAA fostered, was to create gains in efficiency in healthcare, along with cost savings. In order to increase adoption of EHR throughout healthcare organizations, from hospital systems down to solo practitioners, incentives were created to foster permeation of this technology.
While there are many electronic platforms that could be chosen from to create and store patient records, just like any product category, they are not created equal. Therefore, these EHR’s needed to be evaluated, and if they aligned with standards, they could be designated as a certified EHR (cEHR).
More strictly speaking, a cEHR needs to be used in a meaningful fashion, as in an electronic exchange of health information that is utilized to increase the overall quality of care. An example of this is e-prescribing, with practitioners not needing to use paper prescriptions anymore, and now the information gets transmitted directly to the pharmacy, so that the medication will be waiting for the patient when they get there. Along with the obvious time savings benefit to the patient, there are also benefits of electronic checks for drug interactions, and electronic cross checks on dosing as the medication can only be prescribed in the strengths available.
Indeed, the use of the cEHR gets judged via the so-called ‘Five pillars of health outcomes.’ To be able to show that it is meaningful use, the cEHR has to exhibit:
- An improvement for patient safety, quality of care, efficiency, and reduction in health disparities
- An engagement with both patients and their families for their health
- Improvement in the coordination of care
- To safeguard privacy, and protect the security of PHI
- Improvements in population and public health
For many patients, the fourth point on that list is the most important. Protecting health information is important for everyone, and to keep it private and secure. Folks require this in modern society, with no-one being the victim of discrimination based on a preexisting condition, whether from an insurance company, or a potential employer.
Also, many patients want to choose what health information that they share with their family. With HIPAA, using PHI, for any use, from direct healthcare to other cases such as research is carefully controlled and regulated. It includes not only basic demographics such as a name and medical record number, to specific medical diagnoses, and what medications a patient is taking.
HIPAA was a critical step to put these important privacy and security protections in place, so that this could continue to be safeguarded as medical information went online. In the unlikely event of a breach, so that PHI does get leaked online, the patients need to be notified of what information may have been breached.
Conclusion
HIPAA has a number of aspects, all designed to facilitate care through an EHR, while protecting patient privacy. Think about what goes into all of this, next you are at the doctor’s office, and are entering your information into a connected tablet so that it goes instantly online, rather than filling out pre appointment paperwork.
