Individually identified health care information is private information that is protected by federal law. In 1996, Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule to ensure patients have rights over their own health information, no matter what form it is in. The government also created the HIPAA Security Rule to require specific protections to safeguard patients’ electronic health information. A few possible measures that can be built in to health IT systems (including EHRs and HIOs) may include:
- Access control – tools like passwords and PIN numbers, to help limit access to patient information to authorized individuals.
- Encrypting – patient health information cannot be read or understood except by those using a system that can decrypt it with a key.
- Audit trail – records who accessed a particular patient’s information, what changes were made and when; and
- Notification of a breach – requirement by federal law that doctors, hospitals, and other health care providers notify a patient of a breach or his or her health information. The law also requires the health care provider to notify the Secretary of Health and Human Services. If a breach affects more than 500 residents of a state or jurisdiction, the health care provider must also notify prominent media outlets serving the state or jurisdiction. This requirement helps patients know if something has gone wrong with the protection of their information and helps keep providers accountable for EHR protection.
To learn more, visit www.hhs.gov/ocr/privacy/