HIPAA is kind of a weird law in terms of what it does, what it was intended to do, and what the public perception of it is.
Despite being primarily thought of as a medical info privacy law, the overwhelming majority of it is actually focused on changes to the way that health insurance and pre-tax health savings accounts worked, including allowing premiums to change based on BMI, tobacco use, and a couple of other things that came later using HIPAA as a justification.
The part that does actually guarantee privacy was the establishment of a portable electronic health record system. Most of the security documentation basically comes down to no-brainer stuff like "have a door or desk in front of the computer with the stuff on it" and "use passwords" and "don't write the password down." There's a lot about proper disclosure in the event of a leak of PHI and ensuring that people are able to request their own health records and have them be transferred.
Here's the important info on the actual Privacy Rule from nih.gov:
Privacy Rule
The HIPAA Privacy Rule regulates the use and disclosure of protected health information (PHI) by "covered entities." These entities include health care clearinghouses, health insurers, employer-sponsored health plans, and medical providers. Upon request, covered entities must disclose PHI to an individual within 30 days. Entities mentioned earlier must provide and disclose PHI as required by law enforcement for the investigation of suspected child abuse.
- Covered entities may disclose PHI to law enforcement if requested to do so by court orders, court-ordered warrants, subpoenas, and administrative requests.
- A covered entity may reveal PHI to facilitate treatment, payment, or health care operations without a patient's written authorization.
- Any other disclosures of PHI require the covered entity to obtain prior written authorization.
- When a covered entity discloses PHI, it must make a reasonable effort to share only the minimum necessary information.
- The Privacy Rule gives individuals the right to demand that a covered entity correct any inaccurate PHI and take reasonable steps to ensure the confidentiality of communications with individuals.
- The Privacy Rule requires covered entities to notify individuals of PHI use, keep track of disclosures, and document privacy policies and procedures.
2013 Omnibus Rule Update
- The revised definition of "significant harm" to an individual in the analysis of a breach provides more investigation to cover entities with the intent of disclosing breaches that were previously not reported.
- Protection of PHI was changed from indefinite to 50 years after death.
- The HIPAA Privacy rule may be waived during a natural disaster.
TL;DR the privacy rule just means that covered entities can't just willy-nilly talk about people's medical records in public or hand them over at any time to any random person that asks, like your neighbour or a journalist. It doesn't stop the government from just demanding that info for whatever they feel like doing.
HIPAA is kind of a weird law in terms of what it does, what it was intended to do, and what the public perception of it is.
Despite being primarily thought of as a medical info privacy law, the overwhelming majority of it is actually focused on changes to the way that health insurance and pre-tax health savings accounts worked, including allowing premiums to change based on BMI, tobacco use, and a couple of other things that came later using HIPAA as a justification.
The part that does actually guarantee privacy was the establishment of a portable electronic health record system. Most of the security documentation basically comes down to no-brainer stuff like "have a door or desk in front of the computer with the stuff on it" and "use passwords" and "don't write the password down." There's a lot about proper disclosure in the event of a leak of PHI and ensuring that people are able to request their own health records and have them be transferred.
Here's the important info on the actual Privacy Rule from nih.gov:
Privacy Rule
The HIPAA Privacy Rule regulates the use and disclosure of protected health information (PHI) by "covered entities." These entities include health care clearinghouses, health insurers, employer-sponsored health plans, and medical providers. Upon request, covered entities must disclose PHI to an individual within 30 days. Entities mentioned earlier must provide and disclose PHI as required by law enforcement for the investigation of suspected child abuse.
2013 Omnibus Rule Update
TL;DR the privacy rule just means that covered entities can't just willy-nilly talk about people's medical records in public or hand them over at any time to any random person that asks, like your neighbour or a journalist. It doesn't stop the government from just demanding that info for whatever they feel like doing.
Don't know why I assumed it would, of course this garbage country wouldn't actually protect anyone's privacy
Akshually, “this garbage country” protects the privacy of geriatric pedophiles known as Supreme Court judges :liberalism: