HIPAA and its recent HITECH amendments are expansive laws affecting the healthcare industry, which are complex and widely misunderstood by many.
In the U.S., certain organizations, called covered entities, that create, maintain, transmit, use, and disclose an individual’s protected health information (PHI) are required to meet Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements. HIPAA originally was created to streamline healthcare processes and reduce costs by standardizing certain common health care transactions, while protecting the security and privacy of individuals’ PHI. HIPAA was expanded by the Health Information Technology for Economic and Clinical Health Act, which is Title XIII of the American Recovery and Reinvestment Act (HITECH), in 2009. The U.S. Department of Health and Human Services (HHS) manages and enforces these standards.
HIPAA and HITECH focus on PHI, which generally includes any personally identifiable information regarding an individual’s physical or mental health, the provision of healthcare to him or her, or payment for related services. PHI also includes any personally identifiable demographic information, including, for example, name, address, phone numbers, and social security numbers.
HIPAA and HITECH impose requirements related to the use and disclosure of PHI, appropriate safeguards to protect PHI, individual rights, and administrative responsibilities. For additional information on HIPAA and HITECH, visit www.hhs.gov/ocr/hipaa.
Individuals, organizations, and agencies that meet the definition of a “covered entity” (such as health care providers engaged in certain electronic transactions, health plans, and health care clearinghouses) and their business associates, under HIPAA must follow established electronic data interchange standards and comply with rules and establish policies intended to protect the privacy and security of health information. The laws are most frequently applied in the context of those organizations that are commonly connected with the healthcare industry, such as hospitals, doctors’ offices, and HMOs.
Covered entities are defined under HIPAA as follows:
- Healthcare Providers. A “provider of services” or of “medical or health services” (typically or any other person or organization who furnishes, bills, or receives payment for health care in the normal course of business.
- Health Plans. An individual or group plan that provides, or pays the cost of, medical care such as health insurance companies, health maintenance organizations (HMOs), and Medicare.
- Health Care Clearinghouse. A public or private entity that processes or facilitates the processing of health information into a standard or nonstandard format (typically claim and billing information) between other players in the healthcare system. For example, a hospital may send the bill for your treatment to a health care clearinghouse that will reformat and submit the information to your insurance company.
Unlike a covered entity, CampDoc.com is not regulated by HIPAA. Our primary relationship is with the user. Under HIPAA, patients have a right to obtain a copy of their medical records. If they choose to use CampDoc.com, we’ll help them store and manage their medical records online.
The information below describes how the CampDoc.com data confidentiality practices compare to those mandated by HIPAA.
Do individuals have access to their medical records and health information?
Under HIPAA, patients can request a copy of their medical records from their healthcare provider. This typically requires completing release paperwork and may require a printing or copying fee. In some circumstances, availability of certain records may be limited.
In CampDoc.com, users have free and immediate web access at all times to the medical records and health information they store in their account.
Are individuals informed of how their information is used and protected?
Healthcare providers must provide patients with written notice of their HIPAA privacy rights.
What information is protected?
Under HIPAA, personally identifiable information is protected. De-identified patient information is not protected. Aggregate, de-identified patient information can be published and shared with third parties.
When is information sharing permitted?
Under HIPAA, healthcare providers may share information with patient authorization, and may share without authorization, for certain purposes, such as:
- When doctors or other healthcare providers share information to treat patients, like when faxing patient records for a referral
- When used for payment, including sharing with insurance companies to pay for care
- When employers face workplace injury claims
- When public health researchers need aggregate information for studies
- For health care operations, including to contractors and vendors operating on a provider’s behalf (subject to security and confidentiality requirements)
CampDoc.com may share information with explicit user authorization, and may share without authorization in certain limited circumstances, such as:
- With contractors and vendors operating solely on behalf of CampDoc.com (subject to security and confidentiality requirements)
When is information sharing required?
Under HIPAA, various federal and state laws, health care providers must share patient information to comply with court orders and subpoenas. HIPAA itself also allows healthcare providers to voluntarily share patient information with law enforcement without a subpoena and without permission from or notice to the patient.
Under various federal and state laws, CampDoc.com must share user information to comply with court orders and subpoenas. When possible, we notify the user in order to give them the opportunity to object. Under the Electronic Communications Privacy Act (ECPA), CampDoc.com may not voluntarily share most user information with law enforcement.
Is information protected when used by third parties?
If the third party is covered by HIPAA, HIPAA rules apply. If the third party (e.g., a patient’s family member or employer) is not covered by HIPAA, HIPAA rules do not apply.
Online services not covered by HIPAA that wish to integrate with CampDoc.com must comply with the developer policies of CampDoc.com, which establish strict privacy standards for how they collect, use, or share user information.
Can information be seen or used internally?
Under HIPAA, employees in particular job functions may have access to patient information without patient authorization as reasonably necessary to carry out duties relating to treatment, reimbursement, or healthcare operations, such as to communicate about health benefit plans or to recommend alternative treatments or therapies.
A limited number of employees in particular job functions may have access to user information in order to operate and improve CampDoc.com. Users consent to this limited internal use when they sign up for CampDoc.com.
How is information kept secure?
HIPAA requires that health care providers and other services maintain a minimum standard of “reasonable and appropriate safeguards to prevent intentional or unintentional use or disclosure of health information”.
CampDoc.com secures information by using electronic security measures such as Secure Socket Layer (SSL) encryption, back-up systems, and other cutting-edge information security technology as outlined in our Security Policy.
Who enforces privacy protections?
Under HIPAA, the Department of Health and Human Services Office of Civil Rights enforces HIPAA privacy protections through civil and criminal penalties.