HIPAA with a Capital 'P'

When it comes to HIPAA rules and your patients' information, most of the focus is on keeping this information private and secure from prying eyes. While this is a very important aspect to the law, we sometimes forget what HIPAA actually stands for - both in name and idea.

Over 15 years ago, the Health Insurance Portability and Accountability Act (HIPAA) was signed into law in order to protect health insurance coverage for U.S. citizens by making it easy for them to take their healthcare records with them to another provider when they change (or lose) jobs. The way in which HIPAA accomplishes this is through the use of standardized electronic health records (EHR). That's why the word "Portability" is right there in the name of the act - so that a patient's EHR can be seamlessly transferred between providers in a secure manner.

Sadly, a decade-and-a-half later, many healthcare providers have forgotten what this means with regard to their own patient data. Understandably, as the Privacy & Security Rules have been the most relevant aspects of HIPAA for most practices, the safekeeping of your patients' Protected Health Information (PHI) has become the number one priority for most doctors. Because of  the narrow focus on safeguarding PHI, we've seen EHR & practice management software vendors preying on this in order to keep doctors locked out of accessing their very own patients' records under the false auspices of "HIPAA security."

Let us be clear - we know patient privacy is of the utmost importance. (It's why we were the first website to provide doctor profiles that allowed patients to submit questions to their doctors through an encrypted form.) Unfortunately, when a vendor tells you you're not allowed to access your own patients' data because it will violate HIPAA, they themselves are the ones violating HIPAA! Securing your patients' PHI should be a priority for your practice, but it doesn't give your vendors the right to lock out of your own patients' information.