Health Insurance Portability
and Accountability Act (HIPAA)

The original legislative intent of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) was to compel the healthcare industry to computerize its paper records and thereby reduce both costs and the volume of paper generated.  Potentially, electronic storage of data—lab results, doctor consultations, nursing notes, orders, prescriptions, and so on—also affords more privacy than paper records do.  It can protect patient information by limiting who has access to it and restricting that access to only the relevant area of information.

Because the HIPAA legislation prompted concerns about privacy, the Department of Health and Human Services (HHS) eventually instituted new regulations to address the issue.  On April 14, 2003, healthcare providers—doctors, pharmacists, insurance companies, and the like—had to comply with the new HIPAA rules.  As of that date, those who had access to a person’s medical records had to be able to prove they had a plan for ensuring that those records remained private.  Specifically, the new rules spelled out a patient’s right to know about and control how his or her health information is used.  Further, companies involved in safekeeping medical records had to show that their employees understood these new HIPAA rules.

(While the HIPAA rules seek to eliminate inappropriate use of individuals’ medical records and ensure a greater level of privacy, they also restrict some appropriate uses—one of the tradeoffs being the restriction on information that is available to researchers working to improve health care and healthcare systems generally.)

Today, patients customarily sign a form acknowledging that their healthcare provider has informed them of its privacy policies and patients’ rights—one of which is the right to review those policies.  Not only are there specific rules about when, how, and what kind of information can be shared, the person whose information is being shared must be made aware that such sharing may occur.

The rules regarding these rights can be summarized as follows:
• Healthcare providers and insurance companies must explain how they will use and disclose health information.
• Patients can ask for copies of all of this information and make appropriate changes to it.
• Patients can request a history of any unusual disclosures.
• In order for patients’ health information to be shared, they must give formal consent.
• Patients have the right to complain to HHS about violations of HIPAA rules.
• Health information must be used only for health purposes.  Without consent, it can't be used to help banks decide whether to approve or decline a loan, or to help potential employers decide whether or not to hire a person.
• When health information is shared, only the minimum, necessary amount of information is to be disclosed.
• Psychotherapy records are afforded an extra level of protection.

If patients are asked to sign forms that authorize the sharing of medical information with other healthcare providers involved in their care, they typically must sign separate forms for each provider.



Some of the physicians affliated with Post Street Orthopaedics & Sports Medicine offer a HIPAA notice and an acknowledgment form on their individual Web pages.  You may view a generic version here . . .

HIPAA Notice (example only)