HIPAA Patient Rights and HIPAA Identifiers
Today's consumers are becoming increasingly wary when it comes to protecting their personal information. Meanwhile, many recent security breaches in the healthcare industry are making the public question if their healthcare providers are doing enough to protect their sensitive data.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was created as a response to the general public's concern about the security of their personal healthcare information. HIPAA reduces healthcare fraud and abuse, implements industry-wide standards for healthcare data and ensures the security of confidential information, as well as allows patients access to and control over their health information.
What are HIPAA Patient Rights?
HIPAA patient rights form a centerpiece of the HIPAA regulation, supported by the HIPAA patient consent form and the HIPAA release form, which imposes stringent controls on the allowed uses and disclosures of health data. HIPAA mandates that health data can only be shared for purposes related to the treatment of the patient, payment for healthcare, or for business reasons necessary to provide healthcare services. HIPAA-covered entities and their business associates must also implement security measures to ensure privacy and confidentiality of healthcare data.
There are six main HIPAA patient rights as detailed below.
- Right to Restrict Sharing of Health Data: Patients have the right to restrict sharing of their health data for purposes other than treatment, payment, or healthcare services.
- Notification of Privacy Practices: HIPAA-covered entities are required to notify the patient regarding their use of medical data.
- Right to Find Out Who Has Received Health Data: If requested, a covered entity is required by HIPAA to provide information about who has received a patient’s health data over the past six years.
- Right to Obtain a Copy of Health Data: The patient has a right to view or obtain a copy of their health data to check for errors, keep a copy for their records, or to share their information with others.
- Right to Correct Errors in Health Records: HIPAA gives patients the right to make changes to their health information to correct mistakes in their health data.
- Right to File a Complaint for a Privacy Violation: A patient can file a complaint if they have reason to believe that their health data has been disclosed or accessed by an unauthorized individual or that any aspect of HIPAA Rules have been violated.
What's a HIPAA Patient Consent Form?
One of HIPAA's goals is to give patients easy access to their medical records. To release their protected health information (PHI) to a third party for treatment, payment or healthcare operations, patients can complete and submit the HIPAA patient consent form. A few of the circumstances under which PHI needs to be shared with other individuals or organizations could include:
- A patient who needs to share their health information with doctors, hospitals or other healthcare providers.
- A patient who grants their attorney access to their PHI to prove that a medical condition wasn't pre-existing when pursuing an medical insurance claim.
- A patient who provides permission for their healthcare agent to investigate a bill if they're hospitalized or incapacitated.
According to the HIPAA standard of “minimum necessary,” the doctor or healthcare provider can only release information that's required to accomplish the intended purpose to the designated third party.
What's the HIPAA Release of Information?
While the patient consent form pertains to the release of information for use in treatment, payment or healthcare operations, a HIPAA release form is required if the PHI is to be used for other purposes, such as marketing and fundraising, research, psychotherapy, or the sale of PHI or sharing of information that involves remuneration.
A HIPAA release form must contain the following information:
- How the information will be used or disclosed.
- The purpose of disclosing the information.
- To whom the information will be disclosed.
- An expiration date or event for such consent to use or disclose the information.
- A signature and date that the authorization is signed by the individual or the individual’s representative.
The form also needs to detail how an individual can revoke the authorization and indicate that the covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization.
What is PHI HIPAA?
While Protected Health Information (PHI) pertains to a patient’s health information such as diagnoses, medical test results, treatment information, and prescription information, ePHI is any PHI that is held in electronic form.
PHI HIPAA is a HIPAA rule that applies to PHI and ePHI. It relates to a patient’s past, present, or future health status that is created, collected, or transmitted, or maintained by a HIPAA-covered entity in order to provide healthcare, payment for healthcare services, or use in healthcare services. Interestingly, PHI is only considered PHI when a patient can be identified from the information it holds. If a patient’s identifying information is stripped from health data, it ceases to be protected health information and the HIPAA Privacy Rule’s restrictions on uses and disclosures no longer apply.
What are the18 HIPAA Identifiers?
PHI HIPAA refers to PHI that includes one or more of the HIPAA identifiers outlined in HIPAA regulations. The privacy rules in the act protect anything that is considered “individually identifiable health information” and detail specific HIPAA patient identifiers that need to be safeguarded. The rules limit disclosure of this protected health information to maintain patient confidentiality and integrity. The 18 HIPAA patient identifiers that need to be protected are:
- Names (Full names, Last names, or Initials)
- All geographical subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Phone numbers
- Fax numbers
- Electronic mail addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)
What is HIPAA Record Retention?
HIPAA safeguards PHI and ePHI, but what happens to this information in cases where the patient moves to another state, changes healthcare providers? How long are their medical records kept in storage?
HIPAA record retention requirements mandate that covered entities and business associates maintain certain documentation for a specified time frame and may need to be produced for inspection or audit purposes by the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS).
The federal act however, does not mandate a specific HIPAA record retention period for medical records. This is left up to state laws, which can vary greatly. In North Carolina, for example, hospitals need to maintain patient records for 11 years after discharge. Hospitals need to keep the records for seven years after discharge in Florida, but only five years in Nevada. There may be different state rules for physicians, research facilities, and for the treatments of minors.
What are the 2018 Medical Records Retention Laws?
Record retention laws were established in 2018 to keep the information contained in medical records as safe as possible. These laws classify types of records and specify the length of time that they need to be kept for. Once a record expires, it should be destroyed immediately.
Hospitals and other health care providers need to formulate written policies and procedures regarding the retention and disposal of medical records. Doing so will help the provider achieve compliance with HIPAA as well as with other state and federal laws. Without a written policy, a provider may retain records longer than necessary, which is expensive and inefficient, or dispose of records too soon, resulting in the inability to access important documents when needed. In addition, if a record retention policy limits how long information is retained, there is less information to search and review if the healthcare provider is served with a subpoena or other document request.
Healthcare providers can easily sort and organize their files, streamlining record-keeping procedures while maintaining a strict, high level of security with specific guidelines in place on how long to retain medical records. Every healthcare provider needs to create and document a record retention schedule and set up record management procedures to streamline retention and quick disposal efforts. Here is a general record retention table for different types of medical records:
|Health Information||Recommended Retention Period|
|Diagnostic Images ( X-ray films, etc) (adults)||5 years|
|Diagnostics Images (X-ray films, etc) (minors)||5 years after the age of majority|
|Disease Index||10 years|
|Master Patient / Person Index||Permanently|
|Operative Index||10 years|
|Patient Health / Medical Records (adults)||10 years after the most recent encounter|
|Patient Health/ Medical Records (minors)||Age of majority plus statute of limitations|
|Physician Index||10 years|
|Register of Births/ Deaths||Permanently|
|Register of Surgical Procedures||Permanently|
Choose 8x8 to Safeguard HIPAA Patient Rights
HIPAA patient rights and the PHI HIPAA release process are designed to protect patients' personal information while empowering them to decide to whom their information can be disclosed and for what purpose. The HIPAA consent form and release form are put in place to give patients the key to their health information so they can control how their data can be used.
For healthcare providers and any entity handling PHI, it's critical to have the proper systems in place to protect HIPAA patient rights by choosing the right providers for all the systems that handle PHI.
When it comes to medical records and PHI, 8x8 provides the highest levels of security that you can find among cloud providers. Don't take your chances with a cloud-based telecom system that does not provide the highest levels of security for your patients’ PHI. Call 1-844-276-2159 or fill out our form online to request a no-obligation quote from an 8x8 Product Specialist.