Understanding HIPAA

Last Modified: 1/23/2020


This post was written by Valerie Fetters, corporate compliance director, Parkview Health.

What is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA), was enacted on August 21, 1996, and requires the Secretary of Health and Human Services (HHS) to publicize the standards for the electronic exchange, privacy and security of health information. These standards are known as the Privacy Rule. They address the use and disclosure of an individual’s protected health information (PHI) by organizations or “covered entities” that are subject to the Privacy Rule. The Privacy Rule also addresses an individual’s privacy rights to understand and control how their health information is being utilized. Within HHS, the Office for Civil Rights (OCR) has responsibility for implementing and enforcing the Privacy Rule.

Why is it used?

A major goal of the Privacy Rule is to ensure an individual’s health information is properly protected while allowing the flow of health information needed to provide high-quality healthcare. It defines and limits the circumstances in which PHI may be used or disclosed. 

What is protected health information?

PHI is any information about health status, provision of healthcare, or payment for healthcare that is created or collected by a covered entity and can be linked to a specific individual. PHI is information, including demographic data, that relates to:

  • The individual’s past, present or future physical or mental health or condition
  • Healthcare services provided to the individual
  • The past, present or future payment for the provision of healthcare to the individual
  • Any other information that can reasonably be used to identify the individual (social security number, name, address, date of birth, etc.)
What rights does HIPAA give to an individual?

HIPAA gives patients certain rights regarding their PHI, including:

  • The right to review and obtain a copy of their medical record.
  • The right to request an amendment to their medical record when information is inaccurate or incomplete. Also, an amendment request can be denied if the information is determined to be correct or if the information was not generated by the covered entity.
  • The right to an accounting of the disclosure of their medical record for six years preceding the request.
  • The right to request that a covered entity restrict the use or disclosure of PHI for treatment, payment or health care operations purposes or notification purposes. A covered entity is under no obligation to agree to requests for restrictions unless it’s for services paid in full by you or someone on your behalf, other than a health plan.
  • The right to request an alternative location for receiving communications of PHI or by means other than those typically used by the covered entity
Who must abide by the Privacy Rule?

The Privacy Rule applies to health plans, healthcare clearinghouses and healthcare providers or covered entities. Let’s explore each entity:

  • Health Plans: Organizations that provide payment for the cost of medical care. Some examples include health, dental, vision, prescription drug insurers, health maintenance organizations (HMOs), Medicare, Medicaid, Medicare supplement insurers, employer-sponsored group health plans and more.
  • Health Care Clearinghouses: These are entities that process claims for payment.
  • Health Care Providers: These include hospitals, physicians, dentists and other practitioners.
Who really has access to your records?

Access to PHI can be obtained and used without authorization for treatment, payment, healthcare operations (quality assessments, improvement activities, competency reviews, training, compliance reviews, etc.) or for specific instances identified by HIPAA. These could include disclosures required by law for public health activities (cancer registry, birth and death certificates, communicable disease reporting, etc.), worker compensation, certain law enforcement purposes, health oversight activities (audits, licensure and disciplinary actions) and more.

Other important facts to know about HIPAA
  • Disclosures of an individual’s PHI, not permitted or required by Indiana state statutes, federal laws, rules and regulations including HIPAA, shall be made only with the written authorization of the patient or the patient’s legally recognized representative.
  • Minors, ages 14-17, can consent for their own treatment-related to STDs or alcohol or drug abuse. This information is protected under Indiana Law and can’t be released, even to a parent, without the minor’s consent.
  • Patients can request a copy of their medical record by contacting Parkview’s Health Information Management (HIM) department.
  • When admitted, your name and location within the facility will be included in the facility directory and may be disclosed to any person who asks for you by name, unless you object.

To learn more about patient privacy, please visit Parkview Health’s privacy practices page.

Need assistance?

Contact us