The role of HIPAA in collecting patient experience feedback
As a professional working in the healthcare industry, you’ll no doubt be familiar with the Healthcare Insurance Portability and Accountability Act (HIPAA) and the relevance for your data collection, reporting and storage activities. However, if you’re starting to think about collecting patient experience feedback, it's worthwhile revisiting HIPAA regulations to make sure you’re up to date. Failure to consider HIPAA in research can have major ramifications. Research shows that while HIPAA breaches cost approximately $200 per victim, the courts usually award around $1000 per victim. Given the colossal size of the financial penalties now being issued for violation of HIPAA regulations, it is crucial that you know how HIPAA will impact your efforts to gather patient experience data.
In the age of Covid-19, it's also important to note that the types of organizations that gather HIPAA data have been extended to non-healthcare organizations. For example, employers and other business entities might gather data on whether workers have contracted the virus, or their vaccination status. These organizations also have to be vigilant about HIPAA regulations. So, even if you’re not a healthcare professional, you might find our guide useful.
Read on for more information about the HIPAA regulations, the kinds of information that are protected and what you’ll need to think about when designing patient feedback research.
What Types Of Information Are Protected Under HIPAA?
Under HIPAA regulations, any information created, gathered, stored or transmitted by a HIPAA-covered entity that could identify an individual patient is considered protected information. What do we mean by a HIPAA-covered entity? There are three main types:
- Any organization that provides patients with a healthcare plan, such as a healthcare provider
- Any healthcare clearinghouse. These are organizations that process healthcare information on behalf of other organizations, such as repricing companies, billing services and community health information systems
- Any healthcare provider that electronically transmits data protected data about patients such as benefit eligibility inquiries, claims, or referral authorization requests.
While employers are generally not classified as Covered Entities under HIPAA regulations, in practice, they are bound by the same rules when collecting, storing, or transmitting protected health information (PHI): increasingly important in the Covid-19 era.
PHI
What is PHI?
What exactly is PHI? Under the terms of HIPAA, PHI is considered to be individually identifiable information about patients’ current or future health status. PHI is generated, used or disclosed about patients in the course of healthcare provision and delivery. For example, it might emerge during conversations between physicians and nurses regarding the treatment of patients or may be written down on forms, communications and other types of documentation. Examples of protected health information include:
- Patient diagnoses
- The results of MRIs, X-rays or blood tests
- Billing information
- Doctor or clinical appointments
- Prescriptions
- Records of communications between doctors
What is ePHI?
When PHI isi in digital form, it is commonly referred to as ePHI or electronically Protected Health Information or ePHI. For example, ePHI might be transferred by email, stored on a server, or found on a computer hard drive. Most of the rules of HIPAA apply equally to PHI and ePHI. However, the Security Rule of HIPAA is focused on the implementation of technical, administrative and physical safeguards to ensure the integrity and sanctity of electronic PHI specifically.
PHI vs. IIHA
Although PHI is the more commonly used term, you may also have heard the term Individual Identifiable Health Information, or IIHI. PHI and IIHA are interchangeable and refer to the same information - any piece of healthcare information that could enable the patient to be identified.
How Does HIPAA Protect Patient Rights?
HIPAA plays a major role in the protection of patient rights. Let's take a look at some of the considerable benefits of these regulations for patients.
Benefits Of HIPAA For Patients
- Patients have more control over their information. The main benefit of HIPAA is that by setting boundaries over the way in which health records are used, released and shared, patients are able to find out how their information is used. HIPAA empowers patients to control certain uses and disclosures of their protected information.
- It allows patients easier access to their records and data. Patients have the right, for example, to obtain a copy of their health records, to request corrections to those records in the event of inaccuracies, and to find out about which aspects of their information have been disclosed, and to whom.
- Under HIPAA, patients have more protection against the unauthorized release of PHI. This is because HIPAA limits the release of personal data to the minimum that is reasonably needed for the purpose of the disclosure.
- It holds violators accountable. Data breaches under HIPAA are taken very seriously. Patients can hold violators of the regulations accountable, and there are civil and even criminal penalties for violators.
HIPAA Challenges For Healthcare Providers
Of course, HIPAA creates certain challenges for healthcare providers, particularly with relevance to their ability to collect patient experience feedback. Some of the key challenges that you will need to be aware of when gathering patient feedback data include:
- Technical challenges. These are challenges associated with controlling access to data, controlling data integrity and controlling data transfer. For instance, when storing PHI, you will need to restrict access only to authorized personnel. In addition, only authorized personnel should be granted the right to destroy files, and data transfer must be conducted in a secure way. Take a look at how SurveyMonkey’s features help to ensure that data storage, integrity and transfer takes place in accordance with HIPAA regulations.
- Research challenges. HIPAA regulations mean that it can be more challenging to conduct research. In particular, there are restrictions around the use of patient data which you should be aware of. Patients will need to sign a release before you can use their data for research purposes. For some tips on how to collect data in a way that is HIPAA compliant, including tips on sharing surveys and collecting responses, see our useful guide.
How Does HIPAA Protect Healthcare Providers?
Clearly, HIPAA was designed with patient rights firmly in mind, and there are many benefits for patients when healthcare providers are HIPAA compliant. However, it's also important to remember that following HIPAA regulations also protects healthcare providers:
- It creates a culture of compliance. Oftentimes, data breaches and violations of data protection regulations occur inadvertently, because organizations have assigned responsibility to compliance to one department, or even to one individual. HIPAA makes it clear that all healthcare professionals and anyone who comes into contact with PHI is responsible for protecting this data. Therefore, HIPAA helps to create a culture of compliance in which all stakeholders see themselves as accountable for information security.
- Privacy rules steer healthcare providers towards building better security. In the digital age, data security is more important than ever before. HIPAA rules and regulations may seem stringent, but they serve as a vital reminder that organizational infrastructure needs to be designed in a way that protects it against data breaches - which can be both costly and devastating for patients.
- Data sharing is facilitated. Many patients - especially those with complex medical needs - will be served by multiple healthcare providers, and we are moving to a time when sharing of data across organizations in a safe and secure way will be increasingly necessary. HIPAA has helped drive changes in the way that records are stored, which can make sharing information easier when it’s permitted.
Read more about how SurveyMonkey can help with HIPAA compliance here.
Why Patient Feedback Is Important
Over the past few years, the proportion of medical expenses that patients have had to bear has grown steadily. One of the consequences of this development is that patients are increasingly becoming active participants in the healthcare that they receive. As a result of rising deductibles, insurance premiums and out of pocket medical expenses, patients want to make sure that they’re getting value for money. Dissatisfied patients will not think twice about moving to a new healthcare provider. That means that gathering patient feedback is more important than ever before. Capturing insight into patient experiences - whether good or bad - can help you to ensure that patients are getting the bang for their buck that they expect, and will help you to fix any issues before they vote with their feet. Specifically, gathering patient feedback helps you to:
- Improve overall patient experience. There’s little point investing hours of time and thousands of dollars in developing strategies to improve patient experience unless you actually ask your patients what they want. And, the best way to do that is through clear and dedicated data collection efforts, like a survey. That’s because patients often will not give you their opinion of their experiences unless you explicitly ask for feedback. For the fullest possible picture, we recommend an approach that both examines the experiences of individual patients as well as one which looks for patterns across patients and groups of patients (such as patients in similar demographic groups, or those that have similar medical conditions). By taking a two-pronged approach, you’ll be well placed to be able make patient care more personalized, while ensuring the patient care is delivered in an inclusive way.
- Address Diversity, Equity and Inclusion (DEI) in the delivery of healthcare. The specific needs of many categories of patients - like patients with disabilities, the elderly, and children - often go unheard. Gathering patient feedback and analyzing data according to demographic groups can help you make sure that the needs of the most vulnerable groups are being fully addressed.
- Track changes in patient satisfaction over time. If you don’t address problems with patient experience, you run the risk of losing patients to competitors. That means that you need to gather patient feedback regularly, rather than taking a one-and-done approach. When you regularly ask patients for feedback, you’ll be able to identify critical incidents that have the potential to significantly impact patient satisfaction. Equally, when making improvements to the quality of care, you’ll be able to track feedback over time in order to discern improvements in patient satisfaction.
- To improve the quality of care. With well-designed patient feedback surveys and processes of data collection, you’ll soon be armed with critical insight that you can use to design care that is high quality and responsive to patient needs. We recommend gathering as much data as possible to put you in the best position to deliver superior care at every stage in the patient journey. This includes data such as:
- Wait times
- Ease of scheduling appointments
- Service expectations and perceptions of the quality of the care delivered by physicians and other healthcare professionals
- Level of professionalism
- Communication
- Perceptions of the infrastructure, such as the cleanliness of bathrooms
- To benchmark your performance. The healthcare industry is a competitive one, like any sector. Gathering patient feedback is vital in evaluating your performance in comparison to other healthcare providers. You can compare patient feedback and satisfaction to compare yourself against other, comparable practices, compare the performance of individual physicians across the average performance across the entire organization, to evaluate improvements over time.
So, as you can see, HIPAA has major implications for the way in which you gather, store, share and use protected health information. Sound challenging? SurveyMonkey already has the features in place to ensure HIPAA compliance. And, to learn more about how other healthcare organizations are gathering patient feedback data in a way that is HIPAA compliant, see this article.
Discover more resources
Measuring quality of care to improve the patient experience
Healthcare leaders can use this toolkit to help better understand the patient and employee experience.
Learn how Carrot boosts clinical outcomes with feedback
Discover how Carrot relies on SurveyMonkey for HIPAA-compliant surveys, improved data collection, and better clinical outcomes.
How to use Forms to enhance your survey experience
How do surveys and forms differ? Learn how to combine form data with survey feedback for seamless events and experiences.
How to improve your patient registration process
An efficient patient registration process makes onboarding easy and saves time. But what do you need to collect, and how? We can help.