The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996 to set a national standard for electronic transfers of health data. At the same time, Congress saw the need to address growing public concern about privacy and security of personal health data. The task of writing rules on privacy eventually fell to the U.S. Department of Health and Human Services (HHS). After several modifications, DHHS issued the HIPAA Privacy Rule.
The Privacy Rule was effective on April 14, 2003, for most health care providers, health plans, and health care clearinghouses. Small plans have until April 14, 2004, to comply.
If you expect HIPAA to restore your confidence that sensitive medical data is a matter between you and your doctor, you will be disappointed. HIPAA sets the standard for privacy in the electronic age where health industry, government, and public interests often prevail over the patient's desire for confidentiality.
This guide explains the complex provisions of HIPAA's Privacy Rule. It covers HIPAA's high points and low points regarding your health privacy
1. HIPAA Privacy Rule - Benefits and Shortcomings
What does HIPAA do? Is it good or bad?
The final version of the Privacy Rule includes both good and bad news for consumers. You may be surprised to see the new privacy "rights" in HIPAA were ones you always thought you had. The following provisions are HIPAA's "high points."
- HIPAA sets a national standard for accessing and handling medical information. Before HIPAA, your right to privacy of health information varied depending on what state you live in. Now, health care providers, health plans and other health care services that operate in all states have to abide by the minimum standards set by HIPAA.
Your state is free to adopt laws that give you more privacy, but it cannot take away the basic rights given by HIPAA. It is likely that your state has existing laws that in some way govern the privacy of medical records. Some states may pass new laws to incorporate or strengthen HIPAA. To find out what the laws are in your state, visit the web site of the Health Privacy Project of Georgetown University, www.healthprivacy.org, and select the section for State Law. Determining whether a state has a law that remains in force after the HIPAA Rule can be a challenging task, even for experienced lawyers.
- Access to your own medical records, prior to HIPAA, was not guaranteed by federal law. Only about half the states had laws requiring patients to be able to see and copy their own medical records. Now HIPAA gives everyone the right to see, copy, and request to amend their own medical records. You can be charged for copies of your records, but HIPAA sets limits on the fees.
- Notice of privacy practices about how your medical information is used and disclosed must now be given to you. You should get a notice the first time you visit your doctor after the HIPAA Privacy Rule takes effect. The notice should also be available in the health care facility. It must tell you how to exercise your rights under the Rule. And the notice must explain how to file a complaint with your health care provider and with the HHS Office of Civil Rights.
- An accounting of disclosures of your health information is also required by HIPAA. You can find out who has accessed your health records for the prior six years, although there are several exceptions to the accounting requirement. For example, accounting is not required when records are disclosed to the many individuals who see your records for treatment, payment, and health care operations (TPO). Those involved in TPO do not need to be listed in the disclosure log.
- You can file a complaint with your health care provider and/or with the HHS if you believe a health care provider or health plan has violated your privacy.
- Special requests for confidential communications should be granted, if reasonable. You might prefer that telephone calls about your treatment be made to your home rather than your office. Or you might want notices like appointment reminders sent to a post office box instead of your home address.
- Staff training, the appointment of a privacy officer, and establishment of formal safeguards are some of the administrative requirements organizations must comply with under the HIPAA Privacy Rule. These new requirements impose a focus on privacy that may have taken a back seat in the hectic, business-like atmosphere that often characterizes modern-day health care.
- You have a choice when it comes to having your name included in a hospital directory. You can also choose to have your medical information discussed with designated immediate family members, close friends, or relatives.
- Penalties, both civil and criminal, are authorized by the HIPAA Privacy Rule if the government brings a lawsuit for violations.
2. What are HIPAA's shortcomings?
Like it or not, you are not the only one with an interest in control of personal health information. The balancing act between your interests and those of other stakeholders is often tipped on the side of government, the medical profession, related businesses, and public interests. Consumer and patient advocates are critical of HIPAA for its numerous weaknesses.
Here are some of the ways that patients' rights to privacy come up short:
- Your consent to the use of your medical information is not required if it is used or disclosed for treatment, payment, or health care operations (TPO). In many situations such as emergencies, this makes perfect sense. You don't expect the ambulance driver to get your permission to call the hospital emergency room when you are having a heart attack. On the other hand, since your consent is not required for payment, your health care provider could submit a claim to your insurance company - even for a procedure you wanted to keep private and intended to pay for yourself. In addition, treatment, payment, and health care operations have broad definitions that encompass many activities that most people are not familiar with.
- Your past medical information may become available, even if you thought the information was long buried and would remain private. An event, treatment, or procedure from your distant past can be disclosed the same as information about current conditions. Of some comfort, old information is given the same protections under HIPAA as current information. In addition, HIPAA's "minimum necessary" rules apply to old as well as new records. This means that the amount of information disclosed should be limited to what is necessary to accomplish the purpose.
- Your private health information can be used for marketing and may be disclosed without your authorization to pharmaceutical companies or businesses looking to recall, repair or replace a product or medication.
- You have no right to sue under HIPAA for violations of your privacy. In other words, you do not have a "private right of action." Only the HHS or the U.S. Department of Justice has the authority to file an action for violations of the Privacy Rule. All you can do is complain to the one who violates your privacy or to the HHS. However, you may be able to sue under state law using the HIPAA Privacy Rule to establish the appropriate standard of care.
- Business associates of a covered entity can receive protected health information (PHI) without a patient's knowledge or consent. Before entering into an agreement with a business associate, a covered entity must receive assurance that information will be handled appropriately, after that, handling of sensitive data by business associates is left only to an honor system. Even when the limitations of the Privacy Rule are applied, many people can still see your medical records when carrying out the business of the plan or provider. Business associates may include billing services, lawyers, accountants, data processors, software vendors, and more. Your doctor may, for example, disclose your health information to a business associate that processes medical bills. A written contract for this arrangement is required, but the doctor doesn't have to check to see that your information is being handled correctly. If there is a violation, the business associate is supposed to report it.
- Law enforcement access to protected health information under HIPAA is a significant concern of privacy and civil liberties advocates. Some disclosures may be made to law enforcement without a warrant or court order.
3. Covered Entities
Is everyone involved in my health care covered by HIPAA?
No. The HIPAA Privacy Rule pertains to three categories of "covered entities" - health care providers, health plans, and health care clearinghouses.
- Health care providers are covered if they transmit health information electronically. Even a doctor in a small practice who keeps only paper records will almost certainly use a billing service that transmits information electronically. In short, it is nearly impossible to provide health care today without using electronic means in some way.
As long as information is transmitted electronically, "health care provider" includes your doctors, hospitals, staff involved in your treatment, laboratories, pharmacists, dentists, and many others that provide medical, dental, and mental health care or treatment. In short, a provider is almost anyone in the business of providing health care who is licensed or regulated by the states.
- Health plan means almost anyone that pays for the cost of medical care. This includes: health insurance companies, HMOs (health maintenance organizations), group health plans sponsored by your employer, Medicare and Medicaid, and virtually any other company or arrangement that pays for your health care.
- Health care clearinghouses can be any number of organizations that work as a go-between for health care providers and health plans. An example of this would be a billing service that takes information from a doctor and puts it into a standard coded format. Patients rarely deal directly with clearinghouses.
An organization may also be what is called a hybrid entity. A hybrid entity provides health care as only part of its business. A large corporation that has a self-insured health plan for its employees is one example of a hybrid entity. Only the portion of the company that processes claims and makes payments to health care providers is subject to the HIPAA Privacy Rule.
4. Medical Information - What Does HIPAA Cover?
What kind of information is covered by the HIPAA Privacy Rule?
HIPAA covers any information about your past, present or future mental or physical health including information about payment for your care. To be covered by HIPAA, information has to be kept by a covered entity - a health care provider, health care plan, or health care clearinghouse. This, combined with some fact that identifies you (your name, address, telephone number, and Social Security number) is called "protected health information" or PHI. PHI can be oral, handwritten, or entered into a computer. This means a conversation between a doctor and nurse about your condition has the same general protections as information written on your records.
Are my child's (K-12) records of visits to the school nurse covered by HIPAA?
No. Health records kept by schools are classified as "education records" covered by the Family Educational Rights and Privacy Act (FERPA)..
Are there any limits on what can be disclosed from my medical file? The Privacy Rule incorporates what it calls a "minimum necessary" standard when it comes to how much information should be disclosed. Doctors, hospitals, and others covered by the HIPAA Privacy Rule are required to limit the amount of information disclosed to others to the minimum necessary to accomplish the intended purpose.
What amounts to the minimum is left up to the health care provider, not you. And, the minimum necessary rule does not apply to information disclosed in connection with treatment. It also doesn't apply if you authorize the disclosure of your health information.
5. Control of Your Medical Information: "Consent" and "Authorization"
Your ability to control how your medical information is used falls generally into four different situations - along a continuum of no control to some control:
- There are situations where you have no right to consent.
- In some situations your authorization is not needed.
- In certain cases your authorization is needed.
- You have an opportunity to consent or object in a few situations.
The HIPAA Privacy Rule makes a distinction between your "consent" and your "authorization." An authorization must be given on a separate document that sets out details of the disclosure.
When can information be used without my consent?
Consent for use of your information is not the same as consent for treatment. The HIPAA Privacy Rule does not change the general requirement that a health care provider needs your consent before treating you.
A covered entity is allowed to seek your consent, and some state laws require patient consent for treatment, payment, and other disclosures. A covered entity is required to make a good faith effort to obtain your acknowledgment that you received a notice of privacy practices, but this is not the same as obtaining consent.
Your consent is not required when your medical information is used for treatment, payment, or for health care operations (TPO). But it goes much further than that. Your consent is not necessary when your information is used by a business associate of your health care provider or plan.
Services provided by a business associate can include: legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial. These business relationships are established with a written contract. Your personal medical information can be used to carry on the business association, but you are not a party to the arrangement.
Does HIPAA allow a provider to contract with a foreign business associate?
HIPAA makes no distinction between a U.S. business associate and one based in a foreign country. Of late, outsourcing services that involve the transfer of personal data offshore have been the subject of many press reports. Legislation has been introduced in Congress and some state legislatures to at least give consumers notice when medical data is sent offshore. For many Americans, outsourcing is most troubling when the services provided by a foreign company entail the use of highly sensitive medical and financial information. However, to date, there are no legal restrictions on outsourcing medical-related services.
What does "health care operations" mean?
Health care operations are not the same as business associate arrangements. Use of your medical information for purposes of carrying out operations does not require a written contract. Here are just some of the things that fall under the broad heading of operations:
- Reviewing the competence of health care professionals.
- Training programs.
- Activities related to health care contracts.
- Business planning and development.
- Resolution of internal grievances.
- Sale, transfer, merger, or consolidation of the health care provider or plan.
- Medical services review, legal services, auditing, including fraud detection.
- Fundraising.
Will I ever know how many people have seen my medical information?
HIPAA requires safeguards to limit the number of people who have access to personal information. Given the number of people who may have access to your information just to run the operations and business of the health care provider or plan, there is no realistic way to count the number of people who may come across your records. If you are hospitalized, for example, hundreds of hospital employees may see your health information.
When you add to this the number of instances listed below in which your medical information can be disclosed without your authorization, the numbers can be staggering.
Can my PHI be disclosed without my authorization?
The HIPAA Privacy Rule carves out many exceptions to your ability to authorize release of your "protected health information," including details that identify you. As discussed earlier, you don't have the right to consent or object when your information is used for treatment, payment, or operations, including disclosures to business associates of your health care provider or plan. Each of these exceptions places conditions on the covered entity that makes the decision to disclose. But, you are out of the loop.
The flow of your medical information is beyond your control when the disclosure is made by a covered entity to or in connection with:
- Any disclosure required by federal, state, or local regulation, regardless of the scope of the disclosure or the purpose of the disclosure.
- Public health authorities.
- A person subject to the jurisdiction of the federal Food and Drug Administration.
- A person who may have been exposed to a communicable disease.
- An employer to (1) conduct workplace medical surveillance or (2) to evaluate whether you have a work-related illness or injury.
- Victims of abuse, neglect or domestic violence.
- A health oversight agency for audits and investigations.
- Court or administrative proceedings in response to a court order, subpoena, or discovery request.
- A collection agency for unpaid medical bills.
- Coroners and medical examiners.
- Funeral directors.
- Organ procurement organizations.
- A medical researcher with institutional review board approval.
- A threat to public safety or public health.
- U.S. and foreign military commanders.
- U.S. Department of Veterans Affairs to determine eligibility for benefits.
- Federal government national security and intelligence officials.
- U.S. Department of State to verify health fitness of employees and their families for foreign duty.
- Correctional institutions involved in health care of inmates.
- Workers compensation uses authorized by state law.
- Law enforcement access is authorized in a number of ways under HIPAA. In some cases information may be disclosed without a warrant or court order.
Obviously, many of the disclosures listed above are made for the public good. Some disclosures are required by law. Who could argue, for example, with the need to alert public health officials to an outbreak of a deadly disease? And, there is without a doubt a strong public interest in mandatory reporting of suspected child abuse.
Each one of the disclosures listed above that can be made without the authorization of the subject carries with it a set of conditions. For a complete list of those conditions, you may want to look at §164.512 the Privacy Rule itself, www.hhs.gov/ocr/regtext.html. If you still have a question, you can visit the HHS web site and submit a question, www.hhs.gov/ocr/hipaa/finalreg.html. But, be aware, there are many questions that remain unanswered about HIPAA.
Is my authorization ever required before my information can be disclosed?
HIPAA requires your specific authorization unless disclosure is not otherwise allowed. Special authorization requirements apply (1) when the disclosure involves psychotherapy notes and (2) when the disclosure is made for marketing.
The Privacy Rule explains the procedure that must be followed to get your authorization. It states that you should not be denied treatment because you decide not to sign the authorization.
Can I be denied treatment or coverage if I don't give my authorization?
No. Treatment or health care coverage cannot be denied because you don't sign an authorization. Again, there are exceptions. If the authorization is for research-related treatment, you may not be allowed to participate in the research program without giving authorization to disclose your information. If authorization is requested from a health plan prior to the time you enroll and you refuse to give your authorization, you may not be allowed to enroll.
Can I revoke my authorization?
Yes, if you do so in writing and before any action is taken based on your authorization.
Does a hospital need my authorization to include me in a directory?
We explained above about two opportunities to authorize release of your personal data - psychotherapy notes and certain marketing situations. Another situation is created under HIPAA for "directory" information.
That situation typically arises when you are admitted to the hospital. Hospitals routinely maintain directories, and inquiries are often made about a patient from a member of the clergy, the news media, family, and friends. If you are not in the directory, the hospital will not be able to tell visitors you are there, route phone calls, deliver flowers, and so on.
Situations in which individuals are likely to want to limit the disclosure of directory information include: victims of domestic violence or stalking who need to safeguard their location, celebrities and other public officials who want their hospital stay kept private, and individuals who for whatever reason want to limit others' knowledge of their health condition. Under the HIPAA Privacy Rule, you must be given an opportunity to either agree or disagree to the disclosure of your directory information.
When can I agree or disagree to having "directory" information about me disclosed?
You should be given this choice as part of the admission procedure. The directory could include information about your location within the facility, your religious affiliation (disclosed to members of the clergy only), and your condition. An agreement to be included in a hospital directory may be made orally or in writing. You can restrict the kinds of information to be disclosed and to whom it is disclosed. In case of an emergency or another situation where you are not able to give your consent, your health care provider may use his or her professional judgment. In that case, you should be consulted later when you are able to make an informed choice.
Can I give consent or authorization for someone else?
Yes, in some circumstances. The HIPAA Privacy Rule includes information on when you can act for another person or when someone can act for you. This might include times when you have a power of attorney, when you are the parent of a minor child or mentally retarded adult, or when you or someone else is acting in an emergency.
What documents will I have to sign?
The Privacy Rule includes only one situation where the consumer has to sign a document. As discussed above, a patient must sign an authorization form before health information can be disclosed for marketing or when psychotherapy notes are involved.
It is also standard for a consumer to be asked to sign a form acknowledging that he or she has received a copy of the provider's privacy policy. However, the regulation says only that the covered entity must make a "good faith" effort to obtain a signed acknowledgement form.
A signed acknowledgement means only that the consumer/patient was given a copy of a privacy notice. It does not mean (and should never state) that the consumer agrees with the policy. If the patient does not sign the acknowledgement, the covered entity is supposed to document the "good faith" effort. We have learned of instances where a covered entity has refused to provide services if the patient refuses to sign an acknowledgement. The Privacy Rule does not give the healthcare institution the right to deny service to a patient who refuses to sign a document acknowledging that they received a copy of the notice.
6. More about Your Right to Access Your Medical Records
Your ability to see your own medical records is probably the single most important right you have under HIPAA. Before HIPAA, your right to see or copy your medical records often depended on your state laws. Now, HIPAA sets the national standard, or “floor,” meaning that states can give you greater rights to access your medical information, but state laws cannot take away the fundamental access rights you have under HIPAA.
Does HIPAA allow me to get my original records?
No. HIPAA only gives you the right to get copies of your records. Or, if you choose, you can ask to see your medical records or ask for a summary of your medical file.
Do I have to submit a written request for my medical records?
HIPAA does not require a written request. However, if your provider requires a written request, you must be given notice of this. Some providers may have a form specifically for this purpose. Or, the provider's privacy policy should tell you how to request your medical records.
Even if your doctor does not require a written request, it is always a good idea to put your request in writing. That way, you have a record of important details such as when you filed your request and the record you requested. For a sample letter to request a copy of your medical records, see www.privacyrights.org/Letters/medical2.htm.
When will I get my records?
Usually, you should get your copies within 30 days of the request. Under HIPAA, if the process takes more than 30 days, you must be given a reason. Your state law may give you the right to receive your records more quickly. In California, for example, you should be able to see your medical records within 5 days and get a copy within 15 days...
Do I have to pay for copies of my medical records?
Probably, yes. HIPAA says you can be charged a “reasonable, cost-based fee.” This means you can be charged for supplies and staff time for copying your records. You can also be charged for mailing records, if mailing is what you request. But, you should not be charged for time spent searching for your records. Nor, should a provider have a policy of charging all patients a flat fee.
Do I have to pay for a summary of my medical file?
Yes, but you must agree to the fee in advance.
Can I be denied access to my medical records?
Yes, in a few circumstances. For example, you cannot access psychotherapy notes or information compiled for lawsuits. Your request can also be denied if the provider decides the information you want could reasonably endanger your life, your physical safety or that of another person. A written denial letter is usually required. In some cases, you can appeal a denial. If so, you should be given instructions on how to appeal in the written denial.
Does HIPAA say medical records must be kept for a certain time?
HIPAA does not include a record retention period. It does, however, allow you to request an accounting or report of who has accessed your records. This covers the six years prior to the date you request the accounting.
How do I correct inaccurate information in my medical records?
You can ask for a correction of inaccurate information. You should make your request in writing. You should receive a written answer within 60 days. If your correction request is denied, you can note your disagreement in your file.
7. Your Health Records and Your Employer
For many people, the ultimate worry is that an employer's access to information about health and treatment or even the possibility of future illness can affect employment. The way and extent to which the HIPAA Privacy Rule covers your health information in the workplace depends on the type of health coverage you have. The majority of people in the workforce who have health benefits associated with employment fall into one of two categories:
- Group health plans are covered by the HIPAA Privacy Rule as long as the plan has 50 or more participants. If you are a member of a group health plan, your employer pays a premium to the health plan organization to cover your health care costs. In return for the premium paid, the health care plan assumes the risk of paying for health care expenses covered by the plan. The HIPAA Privacy Rule applies to the plan itself, but not your employer.
- Self-insured plans are health plans often offered by large employers as an employee benefit. Under self-insured health plans, the employer itself assumes the risk of health care costs and has the responsibility for paying heath care claims out of the company's operating funds. Claims may be processed by company personnel or contracted out to other companies that process and maintain the records.
HIPAA requires that "hybrid" entities such as self-insured employers erect "firewalls" between the portion of the company that handles the health claims and the portion that does not. However, the effectiveness of this procedure remains to be seen.
Are all records related to my employment and my health subject to HIPAA?
No. Records that relate to other employee benefits such as life insurance, disability, workers compensation, or long-term care insurance are not covered by HIPAA. Nor are records that relate to your employer's compliance with laws that govern safety and health risks in the workplace.
8. Your Health Records and the Government
There are many situations when the government has the right or the legal obligation to see your medical records. State agencies must keep records of births and deaths as well as registries of people who have been diagnosed with serious illnesses such as cancer or HIV. Typically, disclosures to the government do not require your authorization. Government officials can see your medical records.)
Many government-sponsored health programs such as those covering the military, veterans, and government employees are covered by the Privacy Rule. When personally identifiable health information is collected by the government, the federal Privacy Act also applies.
HHS, a federal government agency, may have access to your health records in connection with an investigation. The agency's Office of Civil Rights (OCR) reviews complaints about privacy violations. You might complain to the OCR, for example, that your HMO refused to give you a copy of your medical records. Then, OCR could request a copy of your records from your HMO as part of its investigation.
Does HIPAA create a government database of medical information?
Following is quoted from the HHS web site on the subject of medical databases:
Does the HIPAA Privacy Rule create a government database with all individuals' personal health information? Answer No. The Privacy Rule does not create such a government database or require a physician or any other covered entity to send medical information to the Federal government for a government database or similar operation.
9. Your Health Information and Your Credit Report
Can my information be disclosed to a collection agency?
Yes. When you put on that faded cotton gown and sit on the examining table, you are the patient. But, your role could change to many other things, including that of debtor. You visit your doctor and pay for health insurance premiums so that you are assured of care in an emergency or in case of an illness. But, your relationship is also a business arrangement.
You are obligated to pay for any costs not covered by your health insurance. Remember: Your consent is not required to disclose information from your medical files if it is made in connection with payment.
An unpaid bill, like any other debt claimed to be owed, may be reported to a collection agency. What's more, an unpaid medical bill can appear as a negative entry on your credit report. Information that can be disclosed to a collection agency about you includes:
- Your name and address
- Date of birth
- Social Security number
- Payment history
- Account number
- Name and address of the health care provider or health plan that says you owe the money.
The medical billing and insurance claims processes can be complicated and confusing. Be sure to stay on top of your medical bills and dispute matters in writing with both the health provider and insurance company when you think errors have been made. Try to get the matter resolved before the debt is reported to a collection agency and/or to the credit reporting agencies (Experian, Equifax, TransUnion).
If a medical debt is reported to a collection agency, you have rights given by credit and collection laws. Federal laws are the Fair Credit Reporting Act and the Fair Debt Collection Practices Act. State laws might also apply.
10. HIPAA and Your Daily Routine
HIPAA also touches on privacy in small ways like routine office visits, prescription refills, and messages left on voice mail systems. This is a partial list of day-to-day situations that may or may not be changed by HIPAA:
- You can make a special request to be called for appointment reminders or to discuss your treatment at a certain telephone number.
- Your health care provider should be careful to keep information left on patients' voice mail systems to a minimum.
- Medical records can be faxed from one doctor to another.
- Someone else can pick up your prescription with your permission.
- Your doctor can prescribe medication without a face-to-face visit.
- The pharmacists can talk to you over the counter about your medication, but must take care that others near you do not hear the conversation.
- Medical files can be left outside the examining room, but should be turned facing the wall.
Will HIPAA stop gossip?
Rumors and gossip about medical conditions or treatment are a concern to many people. This is particularly true in small communities where neighbors, friends, and former in-laws might work at the only hospital in town. Under HIPAA, access to sensitive medical information should be limited to those who have a need to know. However, no system can ever stop gossip. If you find that any of your sensitive medical information is disclosed through the grapevine, you should not hesitate to report it to the health care service and file a complaint with the HHS.
Health care providers must pay attention to accidental disclosures through routine conversation. A doctor, nurse, or technician may violate the HIPAA Rule simply by saying to a third party that they saw a particular individual at the clinic last week. That statement discloses that the individual is a patient who sought care, and both of those facts are "protected health information" (PHI) under HIPAA. The disclosure might be particularly sensitive if the physician is a psychiatrist, but the same policy applies to family practitioners, pharmacists, and dental hygienists too.
11. Complaints and Penalties for Violations
What can I do if someone violates the HIPAA Privacy Rule?
You don't have the right to sue under HIPAA. The most you can do is file a complaint. The privacy notice you receive from your health care provider or plan is required to tell you how to file a complaint within the organization. The notice should also tell you how to contact the HHS Office of Civil Rights. This is the government office charged with enforcing the Privacy Rule.
You must file your complaint within 180 days of the violation, but HHS can extend that time. HIPAA says you cannot be denied treatment because you file a complaint.
Even though the HIPAAA Privacy Rule does not give you the right to sue, other federal or state laws or regulations might give you the right to bring an action in court for violations of your privacy. If you feel your rights have been violated, you may want to discuss the situation with an attorney.
What happens after I complain?
The HHS may decide to investigate and/or try to resolve the issue informally. A person or organization that is obliged to follow the Privacy Rule may face a civil fine of up to $25,000. In extreme cases, the U.S. Department of Justices (DOJ) may be called in to conduct a criminal investigation. If the DOJ becomes involved, violators could face a jail term of up to 10 years and a fine of up to $250,000.
12. The HIPAA Security Rule
Privacy and data security go hand-in-hand. So far, this guide has looked at the HIPAA Privacy Rule, explaining what you can and cannot do to protect your sensitive medical files. A new regulation, also published by the Department of Health and Human Services, describes what "covered entities" must do to make sure your medical files are secure. The Security Rule took effect April 20, 2005, for larger entities, with a one year delay for health plans having annual receipts of $5 million or less.
Do I have a role in the HIPAA Security Rule?
Patients receive notice about privacy practices, but data security operates behind the scenes, out of your hands. Still the Security Rule is important to patients because, like the Privacy Rule, it creates a national standard. This means that all health care providers, health plans, and health care clearinghouses that transmit information electronically must adopt a data security plan.
Does the Security Rule protect all my health records?
Only health information maintained or transmitted in electronic format is covered by the Security Rule. Paper records stored in filing cabinets are not subject to the security standards imposed by the HHS.
What does the Security Rule require of covered entities?
The Security Rule, according to the HHS, was designed to be flexible, establishing a security framework for small practices as well as large institutions. All covered entities must have a written security plan. The HHS identifies three components as necessary for the security plan. Those are:
- Administrative safeguards
- Physical safeguards
- Technical safeguards.
Each of the three major categories has a number of subcategories. Some things must be included in the security plan while other factors are "addressable," that is items that may be considered and adopted if suitable to the covered entity's size and organization.
Will I be notified about a security breach?
The Security Rule requires covered entities to adopt "incident" reporting procedures. However, it seems that this relates only to internal reporting. According to the HHS, "This regulation does not specifically require any incident reporting to outside entities. External incident reporting is dependent upon business and legal considerations." Thus, while the HIPAA Security Rule does not require you be notified of a breach, other laws such as California's security breach law may require notice. (CA Civil Code §1798.29)
13. Electronic Health Records
Is my health information stored in electronic format?
Almost certainly some—or major portions of your health information – is kept in electronic format. In fact, to be covered by HIPAA at all means that protected health information is transmitted electronically, usually between a healthcare provider and a health benefit plan.
Even small medical practices are moving away from paper records. If your provider is a Health Maintenance Organization (HMO) or you have had a hospital stay, your medical information is likely to be accessed through computers accessible to various departments throughout the facility. In addition, some employers have established an internal electronic network of health data.
14. Tips for Safeguarding Your Medical Information
In reading this guide about the HIPAA Privacy Rule, you may have rightly concluded that your ability to control the flow of your sensitive medical information is limited. Still, the more you know, the better able you are to maximize the privacy you have left.
Educate yourself and find out as much as you can about the privacy practices of your health care provider and health plan. Read notices and ask questions if you don't understand.
Talk to your provider about your confidentiality concerns. Ask how the provider shares patient data within the office and with affiliates.
Remember, you are not just a patient but also a consumer of health care. Like any consumer, you can shop for the best privacy deal around. Also, be aware that, as a consumer, you can become a debtor. Unpaid medical bills can be referred to a collection agency or end up as a negative entry on your credit report. The insurance payment process can be complicated and confusing. Be sure to stay on top of your medical bills and dispute matters in writing with both the health provider and insurance company when you think errors have been made. Attempt to resolve disputes before bills are referred to a collection agency and/or the credit bureaus.
Read authorizations carefully. Make your choices about restrictions on authorizations known, and refuse to sign any you are not comfortable with. Keep in mind, authorization forms may ask for your permission to disclose your health information for multiple purposes. One type of authorization is the use of your medical data for marketing. You may withdraw your authorization if you later decide you made the wrong choice.
Because HIPAA authorizes so many different types of disclosures without patient approval, you should be suspicious anytime that someone asks you to sign an authorization form for disclosure of health information. Make sure that the authorization is for your benefit and not someone else's.
Exercise your right to obtain a copy of your medical records. Make sure information is accurate. Request that incorrect information be corrected or amended. Keep in mind, your health care provider has the final word on changes and amendments to health records.
Keep a personal health record. This may include copies of your medical files and other information related to your health such as diet and exercise programs.
Complain if you feel your rights have been violated or your concerns have been ignored. You can file a complaint with both the provider and the Office of Civil Rights. Many problems can be resolved by going directly to the health care provider before you contact DHHS.
Contact your representatives in Congress and in your state legislature if you feel stronger laws to protect your medical privacy are needed.
Remember that the HIPAA Privacy Rule is new to record keepers and many providers and insurers are struggling to implement the Rule. Stand up for your rights and let everyone know that you are concerned about privacy, but demonstrate patience and understanding. It will take a lot of effort and time before there is universal compliance with the HIPAA Privacy Rule.
A final word about complaints: Registering your complaint with your health care provider, the Office of Civil Rights, and your legislative representatives might not result in immediate change. But by complaining, you are educating others about situations that you feel violate your privacy. You are also alerting lawmakers about deficiencies in health privacy law. You are not likely to see changes overnight, but if enough people communicate their dissatisfaction, we might see improvements in the future. |