Hipaa Privacy Rule
Length: 1950 words (5.6 double-spaced pages)
Today, you have more reason than ever to care about the privacy of your medical information. This information was once stored in locked file cabinets and on dusty shelves in the medical records department.
Your doctor(s) used to be the sole keeper of your physical and mental health information. With today's usage of electronic medical records software, information discussed in confidence with your doctor(s) will be recorded into electronic data files. The obvious concern - the potential for your records to be seen by hundreds of strangers who work in health care, the insurance industry, and a host of businesses associated with medical organizations.
Fortunately, this catastrohic scenario will likely be avoided.
Congress addressed growing public concern about privacy and security of personal health data, and in 1996 passed “The Health Insurance Portability and Accountability Act” (HIPAA). HIPAA sets the national standard for electronic transfers of health data. Before HIPAA, each state set their own standards. Now states must abide by the minimum standards set by HIPAA. States can enact laws to incorporate and/or strengthen the basic rights given by HIPAA.
How HIPAA's Privacy Rule Protects YOU; The Patient
Access to your own medical records
Prior to HIPAA, access to YOUR medical records were not guaranteed by federal law. Only about half the states had laws giving patients the right to see and copy their own medical records. You may be charged for copies but HIPAA sets fee limits.
You Must Be Given Notice Of Privacy Practices
How your medical information is used and disclosed must now be given to you. The notice must also tell you how to exercise your rights and how to file a complaint with your health care provider and with the DHHS Office of Civil Rights.
HIPAA Requires Accounting of Disclosure Details
You have the right to know who has accessed your health records for the prior six years, However there are several exceptions to the accounting requirement. Accounting is not required when records are disclosed to persons who see your records for treatment, payment, and health care operations. These individuals do not need to be listed in the disclosure log.
Filing A Complaint
If you believe a health care provider or health plan has violated your privacy you have the right to file a complaint with your health care provider and with DHHS.
Special Requests For Confidential Communications.
You can make special requests specifying how you would like your doctor's office handle confidential communication.
For example you can ask for calls be made to your home rather than your office. Your health care provider should agree to any of your reasonable requests.
Establishment Of Formal Safeguards.
Healthcare business must comply with certain administrative requirements including staff training and appointment of a privacy officer.
You can also choose to have your medical information discussed with designated immediate family members, close friends, or relatives.
If HIPAA Privacy Rule is violated the government can file a lawsuit for violations.Civil and crimanal penalties certainly provide an incentive for compliance.
The HIPAA Privacy Rule Is Less Than Perfect.
Consumer and patient advocates are critical of HIPAA for its numerous weaknesses.
Your consent to the use of your medical information is not required if
it is used or disclosed for treatment, payment, or health care operations.
Your private health information may be disclosed to pharmaceutical companies or businesses looking to recall, repair or replace a product or medication.
You have no right to sue under HIPAA for violations of your privacy. You may be able to sue under state law using the HIPAA Privacy Rule to establish the appropriate standard of care.
Business associates can receive protected health information without a patient's knowledge or consent. Business associates may include billing services, lawyers, accountants, data processors, software vendors, and more.
Law enforcement can access protected health information without a warrant or court order.
The HIPAA Privacy Rule only applies to health care providers, health plans, and health care clearinghouses.
Health care providers who transmit health information electronically.
Health plan is defined as anyone that pays for the cost of medical care.
Included in the group - health insurance companies, health maintenance organizations, group health plans sponsored by your employer and Medicare/Medicaid.
Health care clearinghouses
Applies to businesses that work as a go-between for health care providers and health plans. I.E. A billing service that takes information from a doctor and puts it into a standard coded format.
Who Is Not Covered By The HIPAA Privacy Rule?
Life insurance companies.
Social Security and welfare benefits agencies.
Automobile insurance plans that include health benefits.
Internet self-help sites.
Researchers who obtain health data directly from health care providers.
Law enforcement agencies.
Medical Information - What Does HIPAA Cover?
HIPAA covers information related to your past, present or future mental or physical health including information about payment for your care. Informattion must be kept by a health care provider, health care plan, or health care clearinghouse. HIPAA deems said information as "Protected Health Information"
Limitations On Medical file Disclosures.
HIPAA uses a “minimum necessary standard” to limit amount of disclosed information. What amounts to the minimum is left up to the health care provider, not you. And, the minimum necessary rule does not apply to information disclosed in connection with treatment. It also doesn't apply if you authorize the disclosure of your health information.
How Many People Have Accessed My Medical Information?
HIPAA requires safeguards to limit the number of people who have access to personal information, however given the number of people who may have access to your information just to run the operations of the health care provider or plan, there really is no way to count the number of people who may come across your records. If you are hospitalized, for example, hundreds of hospital employees may see your health information.
Exceptions To The HIPAA Rule Limits Your Ability To Authorize Release .
The exceptions do place conditions on the entity who makes the decision to disclose your "protected health information". You are not part of the decision making process when disclosure is required by:
federal, state, or local regulation, regardless of the scope of the disclosure or the purpose of the disclosure.
Public health authorities.
A person subject to the jurisdiction of the federal Food and Drug Administration.
A person who may have been exposed to a communicable disease.
An employer to (1) conduct workplace medical surveillance or (2) to evaluate whether you have a work-related illness or injury.
Victims of abuse, neglect or domestic violence.
A health oversight agency for audits and investigations.
Court or administrative proceedings in response to a court order, subpoena, or discovery request.
A collection agency for unpaid medical bills.
Coroners and medical examiners.
Organ procurement organizations.
A medical researcher with institutional review board approval.
A threat to public safety or public health.
U.S. and foreign military commanders.
U.S. Department of Veterans Affairs to determine eligibility for benefits.
Federal government national security and intelligence officials.
U.S. Department of State to verify health fitness of employees and their families for foreign duty.
Correctional institutions involved in health care of inmates.
Workers compensation uses authorized by state law.
HIPAA requires your specific authorization
when disclosure involves psychotherapy notes (exceptions - if the notes are used for such purposes as training staff or to defend the doctor or health plan in court).
when the disclosure is made for marketing.
The Privacy Rule explains the procedure that must be followed to get your authorization.
Treatment Or Coverage Cannot Be Denied.
Treatment or health care coverage cannot be denied because you don't sign an authorization. (exceptions - if the authorization is for research-related treatment, you may not be allowed to participate in the research program without giving authorization to disclose your information. If authorization is requested from a health plan prior to the time you enroll and you refuse to give your authorization, you may not be allowed to enroll).
You must do so in writing
before any action is taken based on your authorization.
HIPAA and Your Daily Routine
You can make a special request to be called for appointment reminders or to discuss your treatment at a certain telephone number.
Your health care provider should be careful to keep information left on patients' voice mail systems to a minimum.
Medical records can be faxed from one doctor to another.
Someone else can pick up your prescription with your permission.
Your doctor can prescribe medication without a face-to-face visit.
The pharmacists can talk to you over the counter about your medication, but must take care that others near you do not hear the conversation.
Medical files can be left outside the examining room, but should be turned facing the wall.
Tips for Safeguarding Your Medical Information
In reading this guide about the HIPAA Privacy Rule, you may have rightly concluded that your ability to control the flow of your sensitive medical information is limited. Still, the more you know, the better able you are to maximize the privacy you have left.
Educate yourself and find out as much as you can about the privacy practices of your health care provider and health plan. Read notices and ask questions if you don't understand.
Talk to your provider about your confidentiality concerns. Ask how the provider shares patient data within the office and with affiliates.
Remember, you are not just a patient but also a consumer of health care. Like any consumer, you can shop for the best privacy deal around. Also, be aware that, as a consumer, you can become a debtor. Unpaid medical bills can be referred to a collection agency or end up as a negative entry on your credit report. The insurance payment process can be complicated and confusing. Be sure to stay on top of your medical bills and dispute matters in writing with both the health provider and insurance company when you think errors have been made. Attempt to resolve disputes before bills are referred to a collection agency and/or the credit bureaus.
Read authorizations carefully. Make your choices about restrictions on authorizations known, and refuse to sign any you are not comfortable with. Keep in mind, authorization forms may ask for your permission to disclose your health information for multiple purposes. One type of authorization is the use of your medical data for marketing. You may withdraw your authorization if you later decide you made the wrong choice.
Exercise your right to obtain a copy of your medical records . Make sure information is accurate. Request that incorrect information be corrected or amended. Keep in mind, your health care provider has the final word on changes and amendments to health records.
Request that communications be made in a way that you choose. For example, you can request that you be called at your cellular telephone number rather than home phone, or that mailings be sent to your P.O. Box rather than your residential address.
Complain if you feel your rights have been violated or your concerns have been ignored. You can file a complaint with both the provider and the Office of Civil Rights. Many problems can be resolved by going directly to the health care provider before you contact DHHS.
Contact your representatives in Congress and in your state legislature if you feel stronger laws to protect your medical privacy are needed.
Remember that the HIPAA Privacy Rule is new to record keepers, and many providers and insurers are struggling to implement the Rule. Stand up for your rights and let everyone know that you are concerned about privacy, but demonstrate patience and understanding. It will take a lot of effort and time before there is universal compliance with the HIPAA Privacy Rule.