When it was initially drawn up, HIPAA created standards to safeguard electronically processed health data (such as medical histories) in the United States. 

The legislation obligates covered entities to create a security strategy to protect your personal health information from unpermitted access and also puts in place restrictions on how your healthcare data can be held without your stated permission.

Entities classified as HIPAA bodies are governed by the data protection laws. This includes any entity that supplies direct health care and shares any personal health information electronically and health insurance firms. If an entity is discovered to be in breach of the HIPAA law then financial penalties can be costly and can be applied for not complying with the stipulations of the Act or allowing a breach to occur.

HIPAA gives the following rights to patients:

  • The permission to review a copy of their health record and request amendments.
  • Seek a copy of their electronic health medical history.
  • Direct a health care provider not to distribute treatment information with a health insurance supplier if the treatment was paid for.
  • Not hand over permission for their medical history to be sold for research and marketing purposes.

There are some rules about access for patients to be allowed to inspect, review and obtain their medical and billing records with the following conditions:

  1. Access: Permission will only be granted to the patient or a stated representative to view the data. If you specify an authorized representative they make health care decisions for you via a health care power of attorney. If the death of the patient happens then the representative acts as the official executor or administrator of the deceased person’s estate.
  2. Non-payment: A health care provider is not allowed to use non-payment as a reason not to hand over healthcare data. However, the provider may apply a financial charge in relation to the research conducted, retrieval and document duplication fees.
  3. Exemptions to Access: Some types of data are exempt from the HIPAA access rules including psychotherapy notes. These notes and comments must always be saved separate from the patient’s billing and medical history. However, without the patient’s or the patient’s representative’s permission the provider cannot share psychotherapy notes. 
  4. Changes to Records: Patients are allowed to request that a mistake in their medical history to be addressed if they discover a mistake. Once this is registered the healthcare provider must take action and amend the mistake. If the provider does not agree that a mistake has been made the patient is allowed to demand that the changes being completed. 

HIPAA legislation ensures security measures for patient privacy and grants permission for patients to review their medical records. Organizations are legally obliged to establish security measures to limit unauthorized sharing of personal health data. Financial penalties for violation are very high.