The Health Insurance Portability Accountability Act (more info) was one of the most high profile laws to ever see the light of day in the United States. Originally passed in 1996 with a view to protecting the medical records, or Personal Health Information (PHI) of the general public from unauthorized access. One of the most important parts of act was the HIPAA email rules, which specified several steps organizations needed to take in order to be able to transfer patient records via email.
For the purposes of the legislation all medical records are referred to as the aforementioned Personal Health Information or PHI for short. There are a significant amount of policies and rules regarding how PHI is used, transmitted and stored. PHI information can include such things as test results, lab results, doctors notes, billing information or health insurance documents to name a few. The HIPAA email rules address the transmission of these kinds of records, who they can be sent to, how they are sent and how the information is dealt with afterwards.
There is still quite a bit of confusion about what HIPAA entails even almost 15 years after first being enacted. This confusion has led to a sometimes overly cautious attitude towards patient records with providers taking extraordinary measures to ensure they don’t fall foul of the law. Considering the idea was to secure data and allow for the free and fast transmission between permissible organizations, HIPAA email rules often slows down the sharing of these records. Companies know there are significant penalties for failure to comply, and can take a long time to share the data.
In some respects, HIPAA works reasonably well. It protects patient information, yet stays out the way during urgent situations, such as if a patient needs a relative to collect a prescription, or when a school needs to access a child’s vaccination records. It also allows law enforcement to access the data in relation to investigations and assistance it provides during the lifetime of the patient.
On the other hand, it does create quite an administrative overhead for doctors, hospitals and insurance. Not only does the information have to be handled delicately and be kept secure. Under the HIPAA email rules, keeping records, storing emails and how they are shared is complicated and takes a lot of administering. It isn’t just about the people handling the data, it’s about the infrastructure, the networks and the systems involved in its transmission. Email containing PHI has to be encrypted, protected, indexed, stored securely and be able to be retrieved at a moment’s notice.
Make no mistake about it, overall the HIPAA is a good thing. Like many laws, it is overcomplicated and needs a very highly skilled lawyer to understand it completely. It throws up as many challenges as it seeks to address, is cumbersome in its enforcement and expensive to comply with. Despite this, it does go a long way to protecting patient confidentiality and all of our medical records.image credit: smarsh