Copyright © 2003-2009. |
|
|
|
Today, you have more reason than ever to care about the privacy of your medical information. Intimate details you revealed in confidence to your doctor were once stored in locked file cabinets and on dusty shelves in the medical records department. Now, sensitive information about your physical and mental health will almost certainly end up in data files. Your records may be seen by hundreds of strangers who work in health care, the insurance industry, and a host of businesses associated with medical organizations. What's worse, your private medical information is now a valuable commodity for marketers who want to sell you something. The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996 to set a national standard for electronic transfers of health data. At the same time, Congress saw the need to address growing public concern about privacy and security of personal health data. The task of writing rules on privacy eventually fell to the U.S. Department of Health and Human Services (HHS). After several modifications, DHHS issued the HIPAA Privacy Rule. The Privacy Rule was effective on April 14, 2003, for most health care providers, health plans, and health care clearinghouses. Small plans have until April 14, 2004, to comply. If you expect HIPAA to restore your confidence that sensitive medical data is a matter between you and your doctor, you will be disappointed. HIPAA sets the standard for privacy in the electronic age where health industry, government, and public interests often prevail over the patient's desire for confidentiality. This guide explains the complex provisions of HIPAA's Privacy Rule. It covers HIPAA's high points and low points regarding your health privacy. For more information on HIPAA and additional rules that are not explained here, go to the References section at the end of this guide.
What does HIPAA do? Is it good or bad? The final version of the Privacy Rule includes both good and bad news for consumers. You may be surprised to see the new privacy "rights" in HIPAA were ones you always thought you had. The following provisions are HIPAA's "high points."
What are HIPAA's shortcomings?Like it or not, you are not the only one with an interest in control of personal health information. The balancing act between your interests and those of other stakeholders is often tipped on the side of government, the medical profession, related businesses, and public interests. Consumer and patient advocates are critical of HIPAA for its numerous weaknesses. Here are some of the ways that patients' rights to privacy come up short:
Is everyone involved in my health care covered by HIPAA?No. The HIPAA Privacy Rule pertains to three categories of "covered entities" - health care providers, health plans, and health care clearinghouses.
An organization may also be what is called a hybrid entity. A hybrid entity provides health care as only part of its business. A large corporation that has a self-insured health plan for its employees is one example of a hybrid entity. Only the portion of the company that processes claims and makes payments to health care providers is subject to the HIPAA Privacy Rule. Who is not covered by the HIPAA Privacy Rule?Your medical information may be available to many who are not covered by HIPAA. Here are some examples of who is not covered.
Even though these institutions are not covered by HIPAA, they may get information from a covered entity. Is the Medical Information Bureau (MIB) a covered entity? What about IntelliScript and MedPoint? No. The MIB is a member organization made up of insurance companies. Because the MIB is neither a health care provider, health care plan, nor health care clearinghouse, it is not a covered entity. Most of MIB's members underwrite life and disability insurance, functions that are not covered by HIPAA.
What kind of information is covered by the HIPAA Privacy Rule?HIPAA covers any information about your past, present or future mental or physical health including information about payment for your care. To be covered by HIPAA, information has to be kept by a covered entity - a health care provider, health care plan, or health care clearinghouse. This, combined with some fact that identifies you (your name, address, telephone number, Social Security number) is called "protected health information" or PHI. PHI can be oral, handwritten, or entered into a computer. This means a conversation between a doctor and nurse about your condition has the same general protections as information written on your records. Are my child's (K-12) records of visits to the school nurse covered by HIPAA?No. Health records kept by schools are classified as "education records" covered by the Family Educational Rights and Privacy Act (FERPA). For more on FERPA and privacy of your child's education records, visit the US Department of Education web site, www.ed.gov/offices/OM /fpco/ferpa/index.html. Are there any limits on what can be disclosed from my medical file?The Privacy Rule incorporates what it calls a "minimum necessary" standard when it comes to how much information should be disclosed. Doctors, hospitals, and others covered by the HIPAA Privacy Rule are required to limit the amount of information disclosed to others to the minimum necessary to accomplish the intended purpose. What amounts to the minimum is left up to the health care provider, not you. And, the minimum necessary rule does not apply to information disclosed in connection with treatment. It also doesn't apply if you authorize the disclosure of your health information.
Your ability to control how your medical information is used falls generally into four different situations - along a continuum of no control to some control :
The HIPAA Privacy Rule makes a distinction between your "consent" and your "authorization." An authorization must be given on a separate document that sets out details of the disclosure. Consent, when required, is much less formal (discussed further below.) To see how HHS explains the difference between consent and authorization, visit the Question and Answer Section of the Agency's web site. Select the category "Privacy of Health Information/HIPAA" and the subcategory of "Authorizations," http://answers.hhs.gov/cgi-bin/hhs.cfg/php/enduser/std_alp.php When can information be used without my consent? Consent for use of your information is not the same as consent for treatment. The HIPAA Privacy Rule does not change the general requirement that a health care provider needs your consent before treating you. A covered entity is allowed to seek your consent, and some state laws require patient consent for treatment, payment, and other disclosures. A covered entity is required to make a good faith effort to obtain your acknowledgment that you received a notice of privacy practices, but this is not the same as obtaining consent. Your consent is not required when your medical information is used for treatment, payment, or for health care operations (TPO). But it goes much further than that. Your consent is not necessary when your information is used by a business associate of your health care provider or plan. Services provided by a business associate can include: legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial. These business relationships are established with a written contract. Your personal medical information can be used to carry on the business association, but you are not a party to the arrangement. Does HIPAA allow a provider to contract with a foreign business associate ? HIPAA makes no distinction between a U.S. business associate and one based in a foreign country. Of late, outsourcing services that involve the transfer of personal data offshore have been the subject of many press reports. Legislation has been introduced in Congress and some state legislatures to at least give consumers notice when medical data is sent offshore. For many Americans, outsourcing is most troubling when the services provided by a foreign company entail the use of highly sensitive medical and financial information. However, to date, there are no legal restrictions on outsourcing medical-related services. What does "health care operations" mean? Health care operations are not the same as business associate arrangements. Use of your medical information for purposes of carrying out operations does not require a written contract. Here are just some of the things that fall under the broad heading of operations:
Will I ever know how many people have seen my medical information? HIPAA requires safeguards to limit the number of people who have access to personal information. Given the number of people who may have access to your information just to run the operations and business of the health care provider or plan, there is no realistic way to count the number of people who may come across your records. If you are hospitalized, for example, hundreds of hospital employees may see your health information. When you add to this the number of instances listed below in which your medical information can be disclosed without your authorization, the numbers can be staggering. For an idea of how extensive routine disclosures can be, read "Health Privacy: The Way We Live Now" by Robert Gellman, reprinted on the Privacy Rights Clearinghouse web site, www.privacyrights.org/ar/gellman-med.htm. Can my PHI be disclosed without my authorization?The HIPAA Privacy Rule carves out many exceptions to your ability to authorize release of your "protected health information," including details that identify you . As discussed earlier, you don't have the right to consent or object when your information is used for treatment, payment, or operations, including disclosures to business associates of your health care provider or plan. Each of these exceptions places conditions on the covered entity who makes the decision to disclose. But, you are out of the loop. The flow of your medical information is beyond your control when the disclosure is made by a covered entity to or in connection with:
Further .
Obviously, many of the disclosures listed above are made for the public good. Some disclosures are required by law. Who could argue, for example, with the need to alert public health officials to an outbreak of a deadly disease. And, there is without a doubt a strong public interest in mandatory reporting of suspected child abuse. Each one of the disclosures listed above that can be made without the authorization of the subject carries with it a set of conditions. For a complete list of those conditions, you may want to look at §164.512 the Privacy Rule itself, www.hhs.gov/ocr/regtext.html. If you still have a question, you can visit the HHS web site and submit a question, www.hhs.gov/ocr/hipaa/finalreg.html. But, be aware, there are many questions that remain unanswered about HIPAA. Is my authorization ever required before my information can be disclosed ? HIPAA requires your specific authorization unless disclosure is not otherwise allowed. Special authorization requirements apply (1) when the disclosure involves psychotherapy notes and (2) when the disclosure is made for marketing. The Privacy Rule explains the procedure that must be followed to get your authorization. It states that you should not be denied treatment because you decide not to sign the authorization.
Following are some examples from the HHS web site of what is and is not considered marketing under the Privacy Rule: Examples of marketing communications requiring prior authorization:
It is not marketing and no authorization from you is required when :
The term "marketing" is one area that is likely to be debated by state legislators given states' authority to expand HIPAA privacy protections. California lawmakers have already proposed to strengthen the HIPAA marketing provisions during the 2003 legislative session, www.leginfo.ca.gov (Assembly Bill 262). Can I be denied treatment or coverage if I don't give my authorization? No. Treatment or health care coverage cannot be denied because you don't sign an authorization. Again, there are exceptions. If the authorization is for research-related treatment, you may not be allowed to participate in the research program without giving authorization to disclose your information. If authorization is requested from a health plan prior to the time you enroll and you refuse to give your authorization, you may not be allowed to enroll. Can I revoke my authorization? Yes, if you do so in writing and before any action is taken based on your authorization. Does a hospital need my authorization to include me in a directory? We explained above about two opportunities to authorize release of your personal data - psychotherapy notes and certain marketing situations. Another situation is created under HIPAA for "directory" information. That situation typically arises when you are admitted to the hospital. Hospitals routinely maintain directories, and inquiries are often made about a patient from a member of the clergy, the news media, family, and friends. If you are not in the directory, the hospital will not be able to tell visitors you are there, route phone calls, deliver flowers, and so on. Situations in which individuals are likely to want to limit the disclosure of directory information include: victims of domestic violence or stalking who need to safeguard their location, celebrities and other public officials who want their hospital stay kept private, and individuals who for whatever reason want to limit others' knowledge of their health condition. Under the HIPAA Privacy Rule, you must be given an opportunity to either agree or disagree to the disclosure of your directory information. When can I agree or disagree to having "directory" information about me disclosed? You should be given this choice as part of the admission procedure. The directory could include information about your location within the facility, your religious affiliation (disclosed to members of the clergy only), and your condition. An agreement to be included in a hospital directory may be made orally or in writing. You can restrict the kinds of information to be disclosed and to whom it is disclosed. In case of an emergency or another situation where you are not able to give your consent, your health care provider may use his or her professional judgment. In that case, you should be consulted later when you are able to make an informed choice. For more on hospital directories, see Myth #3 on the Health Privacy Project web site at www.healthprivacy.org/info-url_nocat2303/info-url_nocat_show.htm?doc_id=173435 Can I give consent or authorization for someone else? Yes, in some circumstances. The HIPAA Privacy Rule includes information on when you can act for another person or when someone can act for you. This might include times when you have a power of attorney, when you are the parent of a minor child or mentally retarded adult, or when you or someone else is acting in an emergency. For more on this, see the section on References below and go to the HIPAA web site for "Personal Reps/Parents and Minors." What documents will I have to sign? The Privacy Rule includes only one situation where the consumer has to sign a document. As discussed above, a patient must sign an authorization form before health information can be disclosed for marketing or when psychotherapy notes are involved. It is also standard for a consumer to be asked to sign a form acknowledging that he or she has received a copy of the provider's privacy policy. However, the regulation says only that the covered entity must make a "good faith" effort to obtain a signed acknowledgement form. A signed acknowledgement means only that the consumer/patient was given a copy of a privacy notice. It does not mean (and should never state) that the consumer agrees with the policy. If the patient does not sign the acknowledgement, the covered entity is supposed to document the "good faith" effort. We have learned of instances where a covered entity has refused to provide services if the patient refuses to sign an acknowledgement. The Privacy Rule does not give the healthcare nstitution the right to deny service to a patient who refuses to sign a document acknowledging that they received a copy of the notice. Your ability to see your own medical records is probably the single most important right you have under HIPAA. Before HIPAA, your right to see or copy your medical records often depended on your state laws. Now, HIPAA sets the national standard, or ìfloor,î meaning that states can give you greater rights to access your medical information, but state laws cannot take away the fundamental access rights you have under HIPAA. Does HIPAA allow me to get my original records? No. HIPAA only gives you the right to get copies of your records. Or, if you choose, you can ask to see your medical records or ask for a summary of your medical file. Do I have to submit a written request for my medical records? HIPAA does not require a written request. However, if your provider requires a written request, you must be given notice of this. Some providers may have a form specifically for this purpose. Or, the provider's privacy policy should tell you how to request your medical records. Even if your doctor does not require a written request, it is always a good idea to put your request in writing. That way, you have a record of important details such as when you filed your request and the record you requested. For a sample letter to request a copy of your medical records, see www.privacyrights.org/Letters/medical2.htm. When will I get my records? Usually, you should get your copies within 30 days of the request. Under HIPAA, if the process takes more than 30 days, you must be given a reason. Your state law may give you the right to receive your records more quickly. In California, for example, you should be able to see your medical records within 5 days and get a copy within 15 days. For more on your rights to access under state laws, see http://hpi.georgetown.edu/privacy/records.html. Do I have to pay for copies of my medical records? Probably, yes. HIPAA says you can be charged a ìreasonable, cost-based fee.î This means you can be charged for supplies and staff time for copying your records. You can also be charged for mailing records, if mailing is what you request. But, you should not be charged for time spent searching for your records. Nor, should a provider have a policy of charging all patients a flat fee. Do I have to pay for a summary of my medical file? Yes, but you must agree to the fee in advance. Can I be denied access to my medical records? Yes, in a few circumstances. For example, you cannot access psychotherapy notes or information compiled for lawsuits. Your request can also be denied if the provider decides the information you want could reasonably endanger your life, your physical safety or that of another person. A written denial letter is usually required. In some cases, you can appeal a denial. If so, you should be given instructions on how to appeal in the written denial. Does HIPAA say medical records must be kept for a certain time? HIPAA does not include a record retention period. It does, however, allow you to request an accounting or report of who has accessed your records. This covers the six years prior to the date you request the accounting. How do I correct inaccurate information in my medical records? You can ask for a correction of inaccurate information. You should make your request in writing. You should receive a written answer within 60 days. If your correction request is denied, you can note your disagreement in your file. My physician is no longer in practice. How do I find my records? The American Health Information Management Association, www.ahima.org, offers the following advice on how to locate records when your physician is no longer in practice: Even if your physician moved, retired, or died, his or her estate has an obligation to retain your records, including immunization records, for a period defined by federal and state law. Often this retention period is 10 years following your last visit (or until a child/patient is 21). You may be able to locate your records by contacting:
Since I am caring for my elderly parents, may I request their medical records? Generally, permission to access another person's medical records must come from the patient. The patient may designate a friend or relative to receive information related to care and treatment. Permission should be given in writing and filed with the care provider or facility. If the patient is incapacitated, you or another person may be appointed legal guardian by a court. Then, the legal guardian decides who has access to the patient's medical records. Is it possible to access medical records of a person who is deceased? HIPAA speaks of two instances that allow access to a deceased's medical files. One, the personal representative designated by a will or appointed by a court to settle the deceased's affairs may gain access to medical files. Second, a relative may receive medical information about the deceased if the information has a bearing on the relative's health. Do I have the right to see my child's medical records? Generally, yes. However, there are some exceptions:
Additional information about a minor child's health records can be found on the HHS web site, www.hhs.gov/ocr. Under ìHealth Information Privacy,î click the link to ìFrequently Asked Questions about Privacy of Health Information,î and then enter the words ìminorî or ìchildî into the search block. The Guttmacher Institute has a guide to state laws, ìMinors and the Right to Consent to Health Careî available at www.guttmacher.org/pubs/tgr / 03/4/gr030404.pdf (2000). For many people, the ultimate worry is that an employer's access to information about health and treatment or even the possibility of future illness can affect employment. The way and extent to which the HIPAA Privacy Rule covers your health information in the workplace depends on the type of health coverage you have. The majority of people in the workforce who have health benefits associated with employment fall into one of two categories:
My employer sponsors a group health plan? Can my boss see my medical claims? HIPAA says that the group health plan can tell your employer whether you are enrolled in the plan or not. Your employer can also get from the group plan what is called "summary" information to use to obtain premium bids or changes in coverage. If the health information your employer receives goes beyond the basic summary, then HIPAA requires the employer to establish procedures much like that of a covered entity. HIPAA attempts to limit the use of medical information for employment purposes. My employer is self-insured. Does HIPAA guarantee my privacy? Under the HIPAA Privacy Rule, an employer that is also the insurer of health benefits is in a category called a "hybrid" entity. That means the portion of the company's operations that deal with processing health claims is a covered entity. Like any other covered entity, a "hybrid" function must (1) give notice of written privacy procedures, (2) place restrictions on the use of health information, and (3) appoint a privacy officer and train staff. Can my self-insured employer see my health claims?If you are the least bit concerned about the privacy of your medical information, the close relationship between your boss and the person who processes your health claims can send a chill down your spine.
HIPAA requires that "hybrid" entities such as self-insured employers erect "firewalls" between the portion of the company that handles the health claims and the portion that does not. However, the effectiveness of this procedure remains to be seen. The threat to privacy posed by self-insured employers was the subject of a report prepared by Congressional Representative Henry Waxman in April, 2002, "Medical Privacy Policies of Large Corporations Have Major Deficiencies," www.house.gov/reform/min/pdfs/pdf_inves/pdf_privacy_rep.pdf. My employer has an on-site health clinic. Is that covered by HIPAA? An on-site health clinic at your place of employment may be another example of what the HIPAA Privacy Rule calls a "hybrid" entity. This depends on whether the health clinic transmits information electronically and engages in standard transactions under HIPAA's electronic data interchange rule, for example, if the clinic bills an employee's health plan. If so, the records maintained by the health clinic are subject to the same protections that apply to other covered entities. Are all records related to my employment and my health subject to HIPAA? No. Records that relate to other employee benefits such as life insurance, disability, workers compensation, or long-term care insurance are not covered by HIPAA. Nor are records that relate to your employer's compliance with laws that govern safety and health risks in the workplace. I work in a hospital. Is my employment file covered by HIPAA? No. The Privacy Rule applies only to records maintained for treatment of patients. Records in your employment file are not covered. There are many situations when the government has the right or the legal obligation to see your medical records. State agencies must keep records of births and deaths as well as registries of people who have been diagnosed with serious illnesses such as cancer or HIV. Typically, disclosures to the government do not require your authorization. (See Section 4 for some examples of when government officials can see your medical records.) Many government-sponsored health programs such as those covering the military, veterans, and government employees are covered by the Privacy Rule. When personally identifiable health information is collected by the government, the federal Privacy Act also applies. HHS, a federal government agency, may have access to your health records in connection with an investigation. The agency's Office of Civil Rights (OCR) reviews complaints about privacy violations. You might complain to the OCR, for example, that your HMO refused to give you a copy of your medical records. Then, OCR could request a copy of your records from your HMO as part of its investigation. Does HIPAA create a government database of medical information? Following is quoted from the HHS web site on the subject of medical databases:
Can my information be disclosed to a collection agency? Yes. When you put on that faded cotton gown and sit on the examining table, you are the patient. But, your role could change to many other things, including that of debtor. You visit your doctor and pay for health insurance premiums so that you are assured of care in an emergency or in case of an illness. But, your relationship is also a business arrangement. You are obligated to pay for any costs not covered by your health insurance. Remember : Your consent is not required to disclose information from your medical files if it is made in connection with payment. An unpaid bill, like any other debt claimed to be owed, may be reported to a collection agency. What's more, an unpaid medical bill can appear as a negative entry on your credit report. Information that can be disclosed to a collection agency about you includes:
A recent study by the Federal Reserve found that over half of all collections noted on credit reports were for unpaid medical bills, www.federalreserve.gov/pubs/bulletin/2003/0203lead.pdf. Can I dispute a medical bill? Unfortunately, the federal law that enables consumers to dispute billing errors does not apply to medical bills. The Fair Credit Billing Act only applies to credit cards accounts and revolving charge accounts. But that does not mean that you cannot dispute billing errors. The medical billing and insurance claims processes can be complicated and confusing. Be sure to stay on top of your medical bills and dispute matters in writing with both the health provider and insurance company when you think errors have been made. Try to get the matter resolved before the debt is reported to a collection agency and/or to the credit reporting agencies (Experian, Equifax, TransUnion). If a medical debt is reported to a collection agency, you have rights given by credit and collection laws. Federal laws are the Fair Credit Reporting Act and the Fair Debt Collection Practices Act. State laws might also apply. For more information about your rights under these consumer protection laws, visit the Federal Trade Commission's web site at www.ftc.gov. You can also learn more about credit reports and your right to dispute negative information by reading the Privacy Rights Clearinghouse Fact Sheet 6, "How Private Is My Credit Report," www.privacyrights.org/fs/fs6-crdt.htm. HIPAA touches nearly every aspect of modern medicine. Privacy in the hotly debated issues of medical research and genetic testing are beyond the scope of this guide. For more information on these topics, see the HHS web site and the References Section at the end of this guide. But HIPAA also touches on privacy in small ways like routine office visits, prescription refills, and messages left on voice mail systems. This is a partial list of day-to-day situations that may or may not be changed by HIPAA:
Will HIPAA stop gossip? Rumors and gossip about medical conditions or treatment are a concern to many people. This is particularly true in small communities where neighbors, friends, and former in-laws might work at the only hospital in town. Under HIPAA, access to sensitive medical information should be limited to those who have a need to know. However, no system can ever stop gossip. If you find that any of your sensitive medical information is disclosed through the grapevine, you should not hesitate to report it to the health care service and file a complaint with the HHS. Health care providers must pay attention to accidental disclosures through routine conversation. A doctor, nurse, or technician may violate the HIPAA Rule simply by saying to a third party that they saw a particular individual at the clinic last week. That statement discloses that the individual is a patient who sought care, and both of those facts are "protected health information" (PHI) under HIPAA. The disclosure might be particularly sensitive if the physician is a psychiatrist, but the same policy applies to family practitioners, pharmacists, and dental hygienists too. What can I do if someone violates the HIPAA Privacy Rule?You don't have the right to sue under HIPAA. The most you can do is file a complaint. The privacy notice you receive from your health care provider or plan is required to tell you how to file a complaint within the organization. The notice should also tell you how to contact the HHS Office of Civil Rights. This is the government office charged with enforcing the Privacy Rule. You must file your complaint within 180 days of the violation, but HHS can extend that time. HIPAA says you cannot be denied treatment because you file a complaint. Even though the HIPAAA Privacy Rule does not give you the right to sue, other federal or state laws or regulations might give you the right to bring an action in court for violations of your privacy. If you feel your rights have been violated, you may want to discuss the situation with an attorney. What happens after I complain?The HHS may decide to investigate and/or try to resolve the issue informally. A person or organization that is obliged to follow the Privacy Rule may face a civil fine of up to $25,000. In extreme cases, the U.S. Department of Justices (DOJ) may be called in to conduct a criminal investigation. If the DOJ becomes involved, violators could face a jail term of up to 10 years and a fine of up to $250,000. Privacy and data security go hand-in-hand. So far, this guide has looked at the HIPAA Privacy Rule, explaining what you can and cannot do to protect your sensitive medical files. A new regulation, also published by the Department of Health and Human Services, describes what "covered entities" must do to make sure your medical files are secure. The Security Rule took effect April 20, 2005, for larger entities, with a one year delay for health plans having annual receipts of $5 million or less. Do I have a role in the HIPAA Security Rule? Patients receive notice about privacy practices, but data security operates behind the scenes, out of your hands. Still the Security Rule is important to patients because, like the Privacy Rule, it creates a national standard. This means that all health care providers, health plans, and health care clearinghouses that transmit information electronically must adopt a data security plan. Does the Security Rule protect all my health records? Only health information maintained or transmitted in electronic format is covered by the Security Rule. Paper records stored in filing cabinets are not subject to the security standards imposed by the HHS. What does the Security Rule require of covered entities? The Security Rule, according to the HHS, was designed to be flexible, establishing a security framework for small practices as well as large institutions. All covered entities must have a written security plan. The HHS identifies three components as necessary for the security plan. Those are:
Each of the three major categories has a number of subcategories. Some things must be included in the security plan while other factors are "addressable," that is items that may be considered and adopted if suitable to the covered entity's size and organization. Will I be notified about a security breach? The Security Rule requires covered entities to adopt "incident" reporting procedures. However, it seems that this relates only to internal reporting. According to the HHS, "This regulation does not specifically require any incident reporting to outside entities. External incident reporting is dependent upon business and legal considerations." Thus, while the HIPAA Security Rule does not require you be notified of a breach, other laws such as California's security breach law may require notice. (CA Civil Code §1798.29) For more on California's security breach law, see www.privacyprotection.ca.gov . Click on “Privacy Laws.” For information on security breach laws in other states, visit Consumers Union’s Financial Privacy Now, www.financialprivacynow.org . For the complete text of the HIPAA Security Rule, see www.cms.hhs.gov/hipaa/hipaa2/regulations/security/03-3877.pdf The National Institute of Standards and Technology (NIST) published a guide to implementing HIPAA’s Security Rule in October 2008. Although NIST’s guide was prepared for use by federal government entities that are subject to HIPAA, the publication also provides voluntary guidelines for use by state, local, and private entities. NIST’s Guide 800-66 is available at: http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf In addition, the Web site for the HHS Office of Civil Rights offers an abundance of educational materials for help in understanding and complying with all phases of HIPAA. www.hhs.gov/ocr/hipaa/ Is my health information stored in electronic format? Almost certainly some - or major portions of your health information - is kept in electronic format. In fact, to be covered by HIPAA at all means that protected health information is transmitted electronically, usually between a healthcare provider and a health benefit plan. Even small medical practices are moving away from paper records. If your provider is a Health Maintenance Organization (HMO) or you have had a hospital stay, your medical information is likely to be accessed through computers accessible to various departments throughout the facility. In addition, some employers have established an internal electronic network of health data. Is there a national database of medical records? Not yet. But, that is the plan. In 2004 President Bush issued an Executive Order that requires the Department of Health and Human Services (HHS) to study and develop a national health information network (NHIN). With a ten-year deadline, the task of overseeing the system has been left to a newly created HHS Office, The Office of the National Coordinator for Health Information Technology, www.hhs.gov/healthit/measuring.html. In addition to HHS efforts, a number of bills have been introduced in Congress to speed the development of and fund a national system of electronic health records. While the NHIN is not likely to be a reality for some time, many state governments have appointed boards and task forces to study the issue. The first step will be a regional network, combining electronic health records from a number of unrelated sources. The next step will be to combine the regional networks to create a statewide network. Ultimately, the state systems will feed into the national network so that health records are available nationwideóeven worldwide. See, for example, the CalRHIO project, www.calrhio.org .
If you followed the 2008 Presidential campaign, you know that the need for electronic health records was frequently mentioned as a national priority. Not surprising then, the Stimulus Bill, signed by President Obama on February 17, 2009, includes a section on health information technology and privacy. The law allots at least $19 billion to meet the goal of electronic health records for all Americans by 2014. It also calls for a number of changes to the federal medical privacy rule, commonly known as HIPAA. This federal rule is governed by the U.S. Department of Health and Human Services (HHS). 15. Tips for Safeguarding Your Medical Information In reading this guide about the HIPAA Privacy Rule, you may have rightly concluded that your ability to control the flow of your sensitive medical information is limited. Still, the more you know, the better able you are to maximize the privacy you have left.
See PRC Fact Sheet 8 for additional privacy protection tips outside the HIPAA arena, www.privacyrights.org/fs/fs8-med.htm. Sample Letter for Requesting Copy of Medical Files Filing Complaints under HIPAA
State Laws and Health Privacy
The Patient as Consumer - Credit and Collection Laws
Health Privacy Project
World Privacy Forum
HIPAA Advisory, Phoenix Health Systems American Health Information Management Association (AHIMA)
Emerging Issues Regarding National Health Information NetworkGovernment resources:
Department of Health and Human Services web site on HIPAA
|
| Copyright © . Privacy Rights Clearinghouse/UCAN. For distribution of this fact sheet, see our copyright and reprint guidelines. The PRC does not allow any of its documents to be posted on other web sites. This copyrighted document may be copied and distributed for nonprofit, educational purposes only.The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse. This fact sheet should be used as an information source and not as legal advice. PRC fact sheets contain information about federal laws as well as some California-specific information. Laws in other states may vary. Overall, our fact sheets are applicable to consumers nationwide. This publication was originally developed under the auspices of the University of San Diego. Privacy Rights Clearinghouse, 3100 - 5th Ave., Suite B, San Diego, CA 92103. Web: www.privacyrights.org |
