Today's consumers are becoming increasingly wary when it comes to protecting their personal information. Meanwhile, many recent security breaches in the healthcare industry are making the public question if their healthcare providers are doing enough to protect their sensitive data.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was created as a response to the general public's concern about the security of their personal healthcare information. HIPAA reduces healthcare fraud and abuse, implements industry-wide standards for healthcare data and ensures the security of confidential information, as well as allows patients access to and control over their health information.

What are HIPAA Patient Rights?

HIPAA patient rights form a centerpiece of the HIPAA regulation, supported by the HIPAA patient consent form and the HIPAA release form, which imposes stringent controls on the allowed uses and disclosures of health data. HIPAA mandates that health data can only be shared for purposes related to the treatment of the patient, payment for healthcare, or for business reasons necessary to provide healthcare services. HIPAA-covered entities and their business associates must also implement security measures to ensure privacy and confidentiality of healthcare data.

There are six main HIPAA patient rights as detailed below.

  • Right to Restrict Sharing of Health Data: Patients have the right to restrict sharing of their health data for purposes other than treatment, payment, or healthcare services.
  • Notification of Privacy Practices: HIPAA-covered entities are required to notify the patient regarding their use of medical data.
  • Right to Find Out Who Has Received Health Data: If requested, a covered entity is required by HIPAA to provide information about who has received a patient’s health data over the past six years.
  • Right to Obtain a Copy of Health Data: The patient has a right to view or obtain a copy of their health data to check for errors, keep a copy for their records, or to share their information with others.
  • Right to Correct Errors in Health Records: HIPAA gives patients the right to make changes to their health information to correct mistakes in their health data.
  • Right to File a Complaint for a Privacy Violation: A patient can file a complaint if they have reason to believe that their health data has been disclosed or accessed by an unauthorized individual or that any aspect of HIPAA Rules have been violated.

What's a HIPAA Patient Consent Form?

One of HIPAA's goals is to give patients easy access to their medical records. To release their protected health information (PHI) to a third party for treatment, payment or healthcare operations, patients can complete and submit the HIPAA patient consent form. A few of the circumstances under which PHI needs to be shared with other individuals or organizations could include:

  • A patient who needs to share their health information with doctors, hospitals or other healthcare providers.
  • A patient who grants their attorney access to their PHI to prove that a medical condition wasn't pre-existing when pursuing an medical insurance claim.
  • A patient who provides permission for their healthcare agent to investigate a bill if they're hospitalized or incapacitated.

According to the HIPAA standard of “minimum necessary,” the doctor or healthcare provider can only release information that's required to accomplish the intended purpose to the designated third party.

What's the HIPAA Release of Information?

While the patient consent form pertains to the release of information for use in treatment, payment or healthcare operations, a HIPAA release form is required if the PHI is to be used for other purposes, such as marketing and fundraising, research, psychotherapy, or the sale of PHI or sharing of information that involves remuneration.

A HIPAA release form must contain the following information:

  • How the information will be used or disclosed.
  • The purpose of disclosing the information.
  • To whom the information will be disclosed.
  • An expiration date or event for such consent to use or disclose the information.
  • A signature and date that the authorization is signed by the individual or the individual’s representative.

The form also needs to detail how an individual can revoke the authorization and indicate that the covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization.

What is PHI HIPAA?

While Protected Health Information (PHI) pertains to a patient’s health information such as diagnoses, medical test results, treatment information, and prescription information, ePHI is any PHI that is held in electronic form.

PHI HIPAA is a HIPAA rule that applies to PHI and ePHI. It relates to a patient’s past, present, or future health status that is created, collected, or transmitted, or maintained by a HIPAA-covered entity in order to provide healthcare, payment for healthcare services, or use in healthcare services. Interestingly, PHI is only considered PHI when a patient can be identified from the information it holds. If a patient’s identifying information is stripped from health data, it ceases to be protected health information and the HIPAA Privacy Rule’s restrictions on uses and disclosures no longer apply.

What are the18 HIPAA Identifiers?

PHI HIPAA refers to PHI that includes one or more of the HIPAA identifiers outlined in HIPAA regulations. The privacy rules in the act protect anything that is considered “individually identifiable health information” and detail specific HIPAA patient identifiers that need to be safeguarded. The rules limit disclosure of this protected health information to maintain patient confidentiality and integrity. The 18 HIPAA patient identifiers that need to be protected are:

  1. Names (Full names, Last names, or Initials)
  2. All geographical subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code, if according to the current publicly available data from the Bureau of the Census: (1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
  4. Phone numbers
  5. Fax numbers
  6. Electronic mail addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code (note this does not mean the unique code assigned by the investigator to code the data)

What is HIPAA Record Retention?

HIPAA safeguards PHI and ePHI, but what happens to this information in cases where the patient moves to another state, changes healthcare providers? How long are their medical records kept in storage?

HIPAA record retention requirements mandate that covered entities and business associates maintain certain documentation for a specified time frame and may need to be produced for inspection or audit purposes by the Office for Civil Rights (OCR) of the Department of Health and Human Services (HHS).

The federal act however, does not mandate a specific HIPAA record retention period for medical records. This is left up to state laws, which can vary greatly. In North Carolina, for example, hospitals need to maintain patient records for 11 years after discharge. Hospitals need to keep the records for seven years after discharge in Florida, but only five years in Nevada. There may be different state rules for physicians, research facilities, and for the treatments of minors.

HIPAA record retention policies do not apply to associated records that are not considered individual’s medical records. This includes items such as privacy policy notices, risk assessments and risk analyses, authorizations for disclosure, and other forms. These forms are required to be kept for six years after creation or revision


What are the 2018 Medical Records Retention Laws?

Record retention laws were established in 2018 to keep the information contained in medical records as safe as possible. These laws classify types of records and specify the length of time that they need to be kept for. Once a record expires, it should be destroyed