#I am here to make my rote memorization of HIPAA everybody else’s problem 😊
Explore tagged Tumblr posts
alatariel-galadriel · 1 year ago
Text
3 Common Misconception: HIPAA Edition
(aka I have HIPAA tattooed under my eyelids and I want to make it everyone else’s problem)
This is pedantic, but the act protecting your health information is HIPAA, not HIPPA. One ‘p’, two ‘a’s. HIPAA stands for the Health Insurance Portability and Accountability Act, not the oft-quoted (and non-existent) Health Information Privacy & Protection Act. Not a huge deal, since it protects your health information regardless, but it’s a pretty decent metric to mark if someone actually knows what they’re talking about.
HIPAA protects you from employees of healthcare organizations sharing your information without your consent.  HIPAA violations occur when someone who has access to your medical information *as part of their job* either a) purposely accesses information outside of their job requirements b) shares your health information without your consent or c) puts health information in a position where it can be improperly accessed by others, purposefully or not. You can shout your medical information to the hills. People who you've told your medical information to can shout it to the hills, so long as they didn’t get that information through their job. People can demand that you share your information--but your doctor can’t hand it over without your consent.
Exceptions to HIPAA exist. There's quite a few of them, actually, and I’ve made a detailed list below the cut; but to correct the biggest misconception: yes, there are situations where health care employees are required to share your information with the government. This typically falls under mandatory reporting (think child abuse, gunshot wounds, or highly infectious diseases), but your information can also be accessed via warrant or subpoena for criminal proceedings.
Here is the government’s webpage breaking down the HIPAA Privacy Rule if you want to know more! I love love love HIPAA and will gladly talk about it for as long as anyone will let me (hence the cut below).
Detailed breakdown of HIPAA exceptions under the cut:
TPO: This stands for Treatment, Payment and Operations, because if your health info was on complete lockdown, no healthcare entity could function. Employees can access/share your info when that info is necessary for them to...
Provide treatment (ie: your nurse can share your info with your doctor)
 Receive payment (ie: giving your info to your insurance company)
Maintain operations (ie: health data/medical records staff. This is me--as a health systems analyst, I can’t do my job without access to the data within the medical records system)
Public Interest: ie: when required by law/governmental function. This includes:
Mandatory reporting (discussed above. Healthcare professionals are required to report infectious diseases like measles or rabies, as well as incidents like gunshot wounds or domestic violence.)
Health oversight activities. These are the organizations who evaluate and investigate whether a facility meets safety/performance regulations and standards. Trust me, you want your info shared with these folks!! 
 Law Enforcement. I’m going to be really specific here, because there’s been a lot of (justifiable) concern post-Roe v Wade. Your info can be shared if it is is…
Subpoenaed, court ordered, or court-ordered warrant by a court, judge, or administrative tribunal
 Requested by law enforcement to id a suspect, fugitive, witness, or missing person
 Requested by law enforcement for info about a victim/suspected victim of crime
 To alert law enforcement of a person’s death if the organization believes a crime has occurred
If the healthcare organization believes the information is evidence of a crime that occurred on its premises.
In emergency situations, providers can share information about the nature of a crime, the location of crime/victims, and the perpetrator of the crime.
Decedents: Funeral directors, coroners, and medical examiners all need your info to do their jobs, Being deceased, you can’t give your authorization, so an healthcare org sharing your info with them is not a HIPAA violation
Organ/Eye/Tissue donation: pretty self-explanatory. Some of your information as a donor might be shared to ensure a healthy transplant.  
Research (limited data sets): This one tends to freak people out, but if you’re on one of these, anything that can identify you is removed (name, address, etc.). Instead, details of specific conditions/treatments are stored to provide data for researchers. For example, every state has, by law, a cancer registry--used to identify sudden spikes that might be attributable to environmental factors.
Serious threats to health/safety. If a serious, specific threat is made against a person or the public, this can be shared with law enforcement and the person who the threat is made against. There’s a lot of grey area here in what counts as a specific threat, and this can get complicated quickly, but if someone tells a medical professional that they are planning on harming you, you will be notified alongside law enforcement. Likewise for a bomb or other public threat.
Essential government functions. If you are in prison or other correctional facility, you are not protected by HIPAA. Some government benefit programs will require the disclosure of health information. (It also includes national security and military missions).
And last, but not least: worker’s compensation. Healthcare orgs have to share parts of your information for you to receive worker’s comp, as part of the verification process. Fantastic!
3 notes · View notes