• HIPAA protects you from unauthorized medical record disclosure.doctor desk image by dinostock from Fotolia.com
  
  The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was established to protect individuals' health records and extend rights to patients concerning that information. It consists of the privacy rule and the security rule. While HIPAA is structured to allow certain disclosures of information for vital purposes such as appropriate medical care or safety, the act also establishes procedures for filing complaints against violating entities.
  
  

HIPAA Privacy Rule

• The HIPAA privacy rule assures that an individuals' health information is protected and at yet can be accessed to provide quality care. The HIPAA privacy rule covers certain transactions made by certain providers.
  
  HIPAA's privacy rule must be adhered to by the following bodies, called "covered entities" in the act: health plans (including dental, vision, prescription drug insurers, HMOs, most government plans, nursing home or other long-term policies and church- or employer-sponsored group health plans), health care clearinghouses and any health care provider who transmits health information in electronic form.
  
  These bodies must specifically guard and control certain information transactions, such as claims, benefit eligibility inquiries, referral authorization requests or any transmission of information pertaining to an individual's physical or mental health, the extent and type of care rendered (as well as payment for that care) and any information that may be used to identify the individual.
  
  

HIPAA Security Rule

• Before the HIPAA security rule was enacted, there was no uniform standard to protect health information and health care providers began to take advantage of new technology for more efficient operations. The Security Standards for the Protection of Electronic Protected Health Information (the HIPAA Security Rule) put into place operational standards for electronic transactions to protect the information covered in the privacy rule.
  
  The security rule applies to the same providers considered "covered entities" in the privacy rule. To comply with the Security Rule regulations, these bodies must protect the personal information stipulated in the privacy rule, physically and electronically. This includes limiting access and requiring authorization to retrieve records or identifying information, establishing policies for the proper use of equipment used to store this information, securing electronic databases (including the use of security hardware and software) and protecting records from alteration or destruction. Covered entities are also responsible for ensuring data is securely transmitted (a provision intended to reduce finger-pointing in cases that involve more than one entity).
  
  

Exceptions

• There are instances in which HIPAA privacy and security rules may not apply. Covered entities can access and disclose protected information without authorization in the following situations: to the protected individual; if the information is required for medical treatment or insurance purposes; when the protected individual is unable to consent, such as when unconscious and the disclosure is in the best interests of the individual; when it is in the best interests of the general public or nation, such as in criminal, public health or child abuse incidents; and for research or health care operations, though the data set must be limited in such a case.
  
  Minor children may also be considered special exceptions, as the parents are usually considered "personal representatives" for the minor. In most cases, the rights safeguarded under HIPAA can be exercised by the parent on behalf of their child.
  
  

Violations

• Intentional HIPAA violations are treated as criminal offenses. As of August, 2010, they can carry fines of $50,000 (per incident) and jail terms of up to one year. The fine may increase to $100,000 and up to five years of jail if the violation involves false pretenses, or up $250,000 and up to 10 years in jail if it involves intent to sell, transfer or use protected information for personal gain or harm against the violated individual.
  
  Anyone has the right to file a complaint against a violating entity even if the violation was against another individual. The complaint must name the covered entity in question, as well as the alleged incident in violation of HIPAA rules, within 180 days of discovery of the incident.
  
  No covered entity can retaliate, by refusal of service, harassment or malicious act, against an individual who has filed a complaint, refused to waive his HIPAA rights, assisted in an investigation against the entity or insisting on rights established in the HIPAA privacy and security rules.