What law was passed in 1996 that gave patients the right to see their own healthcare records?

HIPAA (The Health Insurance Portability and Accountability Act of 1996)

Disclaimer: The American Cancer Society does not offer legal advice. This information is intended to provide general background in this area of the law.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a law that was created to protect millions of working Americans and their family members with medical problems. These people often had trouble getting health insurance because of a medical problem they had before they tried to buy health insurance (called a pre-existing condition). In fact, before the important protections of the health care law known as the Affordable Care Act took effect, many people with serious health problems couldn’t get health insurance.

How the Affordable Care Act affects HIPAA

Here's how the Affordable Care Act (ACA) helps to get coverage for pre-existing conditions.

• Employer-based plans and individual health plans cannot deny coverage to people with pre-existing conditions.
• People under individual health plans that existed before September 23, 2010 – known as grandfathered plans, are allowed to use pre-existing condition exclusions. Plans issued or renewed on or after September 23, 2010 must follow the ACA rules.

How HIPAA helps people with cancer

The following information applies to grandfathered plans that existed before September 23, 2010 and were not purchased through the Marketplace. Check with your employer to find out your health care plan’s start date, to learn if it’s grandfathered. If it isn’t, this section does not apply to you.

HIPAA includes several parts that may help people with cancer who are under older grandfathered individual health plans.

• It limits what’s considered a pre-existing condition. An employer health plan can exclude a medical condition from coverage only if the person had a gap in coverage longer than 63 days, and also had or was recommended to have treatment or medical advice in the 6 months before enrolling in the plan.
• It limits the time a new employer plan can exclude the pre-existing condition from being covered. An employer health plan can avoid covering costs of medical care for a pre-existing condition for no more than 12 months after the person is accepted into the plan.
• It gives certain people the right to buy individual health insurance if no group health plan coverage is available, and the person has exhausted COBRA or other continuation coverage. (For more information, see COBRA.)Certain conditions and time limits must be met.
• It does not allow employers or their health insurers to discriminate or act unfairly against employees and their dependents based on their health status or genetic information.
• It guarantees certain people the ability to get or renew individual health insurance coverage.

HIPAA also protects privacy and gives you more access to your medical records.

In 2002, the HIPAA laws were expanded to give patients greater access to their own medical records. The expanded law also gave patients more control over how their personally identifiable health information is used. In general, health information may not be shared without the patient's written permission. The law requires health care providers and health insurance plans to protect the privacy of patient health information, too. Medical records must be kept under lock and key and are available only on a need-to-know basis.

What does HIPAA not do?

Even though HIPAA offers protections and makes it easier to switch jobs without fear of losing health coverage for a pre-existing condition, the law has limits. For instance, HIPAA:

• Does not require employers to offer health coverage, though the new health care law will require some to offer it
• Does not require employers that offer coverage for employees to also cover their families or dependents
• Does not guarantee that you can afford the health coverage your employer offers
• Does not keep an employer from imposing a pre-existing condition exclusion period if you have been treated for a condition during the past 6 months and have had an interruption in your coverage (group plans can’t do this after January 1, 2014)
• Does not replace your state as the main regulator of insurance where you live

Even so, HIPAA has generally made it much easier to switch health plans or change jobs without losing coverage if you have a health problem.

American Cancer Society medical information is copyrighted material. For reprint requests, please see our Content Usage Policy.

Twenty-two years ago this month, the U.S. Congress enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA). The federal Privacy, Security, and Breach Notification Rules implemented under HIPAA, and administered and enforced by the HHS Office for Civil Rights (OCR), continue to serve as the national foundation of protections for individually identifiable health information, and of individuals’ rights with respect to their information, including the right to see and obtain copies of their health information from their healthcare providers and health plans. In addition, HIPAA covered entities and their business associates continue to use the required HIPAA electronic transactions and code set standards to exchange health information for essential administrative purposes, such as submitting insurance claims.

As the Office of the National Coordinator for Health Information Technology (ONC) and OCR work toward achieving the individual access and interoperability promises of the 21st Century Cures Act (Cures Act), we reflect on the fact that the “P” in HIPAA stands for portability. While the portability provision in HIPAA refers to the portability of health insurance coverage for individuals and their families, today we want to talk about the “P” in HIPAA also signifying the secure portability – or the flow – of health information across the health ecosystem.

HIPAA Supports Data Portability

HIPAA recognizes the importance of providing individuals with portability of their data. With limited exceptions, the HIPAA Privacy Rule provides individuals with a right, upon request, to see and receive copies of information in their medical and other health records (a “designated record set”) maintained by a HIPAA covered entity, such as an individual’s healthcare provider or health plan. At the direction of an individual or personal representative, a covered entity must transmit health information about the individual directly to any person or designated entity within 30 days (with the possibility of one 30-day extension). Covered entities are strongly encouraged to provide individuals with access to their health information much sooner, and to take advantage of technologies that enable individuals to have faster or even immediate access to the information.

ONC and OCR recently began a campaign encouraging individuals to get, check, and use copies of their health information and our two offices offer training for healthcare providers about the HIPAA right of access. OCR and ONC have developed guidance to empower individuals to take more control of decisions regarding their health and well-being through easy access to their health information. These guidelines include access guidance for professionals, HIPAA right of access training for healthcare providers, and Get It. Check It. Use It. resources for individuals.

HIPAA also supports the sharing of health information among healthcare providers, health plans, and those operating on their behalf, for treatment, payment, and healthcare operations (TPO) purposes, and provides avenues for transmitting health information to loved ones involved in an individual’s care as well as for research, public health, and other important activities.

Technology Facilitates Portability – Past, Present, & Future

To further promote the portability of health information, we encourage the development, refinement, and use of health information technology (health IT) to provide healthcare providers, health plans, and individuals and their personal representatives the ability to more rapidly access, exchange, and use health information electronically

Now, more healthcare providers and health plans are offering individuals electronic access to their health information. In addition, the Cures Act directs HHS to address information blocking and promote the trusted exchange of health information, which will further promote the portability of this information.

HHS and its components like the Centers for Medicare & Medicaid Services (CMS) and the National Institutes for Health (NIH), along with the White House Office of American Innovation, are working to support the portability of health information and encourage the growth of a health ecosystem that encourages healthcare providers, health plans, and individuals to share health information electronically.

• CMS is calling on healthcare providers and health plans (HIPAA covered entities) to share health information directly with patients, upon their request.
• NIH has established a research program to help improve healthcare for all individuals that will require the portability of health information.
• The White House Office of American Innovation also has an initiative, MyHealthEData, that aims to break down the barriers preventing patients from having electronic access to their own health records; this initiative also facilitates individuals of their HIPAA Privacy Rule right of access to obtain their health information and direct copies to share with third parties.

Health IT can improve the portability of digital health information and facilitate the HIPAA individual right of access.

Health IT can improve the portability of digital health information and facilitate the HIPAA individual right of access. For example, healthcare providers using Certified Electronic Health Record Technology (CEHRT) certified to the 2015 Edition of standards, implementation specifications and certification criteria (2015 Edition) adopted by HHS for ONC’s Health IT Certification Program have view, download, and transmit (VDT) technical capabilities. These capabilities support individuals’ ability to use internet-based technology to transmit their health information to a third-party, directly from the provider’s technology (such as through a patient portal or personal health record) to any email address, as requested by the patient. In the 2015 Edition, the “application access” certification criteria requires health IT developers to demonstrate that the health IT can provide application access to a common set of patient clinical data via an application programming interface (API). An API is technology that allows one software application to programmatically access the services another software application provides, including supporting the sharing of electronic health information.

OCR’s health app developer portal offers resources for health IT developers and others interested in the intersection of health IT and HIPAA privacy and security protections, including those wanting to build  privacy and security protections into technology to enable individual choices for secure health information access and sharing. Assistance is also available at www.HHS.gov/hipaa.

The Cures Act builds on the capabilities of the 2015 Edition by calling for the development of APIs that enable the user to access and use health information “without special effort.” As we focus on accelerating individuals’ ability to access, share, and use their health information on their smartphones or other mobile devices, APIs should increase data portability and serve as a technology to further implement the health information portability concept. For example, we are currently looking at how developers and users of health IT enable individuals to use an API to make a request to exercise their HIPAA right of access and to request that their health information be transmitted to a designated third-party, like the All of Us Research Program.

Looking Ahead

HHS’ guiding principle is to make policy choices that will give consumers, healthcare professionals, and innovators more options for getting and using health information. Our interoperability efforts focus on improving individuals’ ability to access and share their health information to better enable them to shop for and coordinate their own care. We are dedicated to putting patients first, allowing them to be empowered consumers of healthcare by making the information they need to be engaged and active decision-makers in their care available on their smartphones or other mobile devices.

As HHS continues working toward achieving the interoperability priorities of the 21st Century Cures Act, HIPAA puts us one step closer to doing so. Now, twenty-two years after it was enacted, and at a time when the European Union’s General Data Protection Regulation (GDPR) includes data portability as a fundamental right of individuals, HIPAA still serves as a nationwide foundation for portability of electronic health information as well as its privacy and security.

What does the HIPAA Act of 1996 include?

What does HIPAA stand for and why was it passed in 1996?

What is the public law number of the original enactment of HIPAA in 1996?

Which law provides patients access to their medical records?