Copyright © |
|
|
|
Today you have more reason than ever to care about the privacy of your medical information. Intimate details you revealed in confidence to your doctor were once stored in locked file cabinets and on dusty shelves in the medical records department. Now, sensitive information about your physical and mental health will almost certainly end up in data files. Your records may be seen by hundreds of strangers who work in health care, the insurance industry, and a host of businesses associated with medical organizations. What's worse, your private medical information is now a valuable commodity for marketers who want to sell you something. The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996 to set a national standard for electronic transfers of health data. At the same time, Congress saw the need to address growing public concern about privacy and security of personal health data. The task of writing rules on privacy eventually fell to the U.S. Department of Health and Human Services (HHS). After several modifications, DHHS issued the HIPAA Privacy Rule. The Privacy Rule was effective on April 14, 2003, for most health care providers, health plans, and health care clearinghouses. Small plans had until April 14, 2004 to comply. If you expect HIPAA to restore your confidence that sensitive medical data is a matter between you and your doctor, you will be disappointed. HIPAA sets the standard for privacy in the electronic age where health industry, government, and public interests often prevail over the patient's desire for confidentiality. This guide explains the complex provisions of HIPAA's Privacy Rule as well as recent measures to strengthen privacy and data security as the country moves closer to a system of electronic health records. It covers HIPAA's high points and low points regarding your health privacy. For more information on HIPAA and additional rules that are not explained here, go to the References section at the end of this guide.
What does HIPAA do? Is it good or bad? The final version of the Privacy Rule includes both good and bad news for consumers. You may be surprised to see the new privacy "rights" in HIPAA were ones you always thought you had. The following provisions are HIPAA's "high points."
What are HIPAA's shortcomings?Like it or not, you are not the only one with an interest in control of personal health information. The balancing act between your interests and those of other stakeholders is often tipped on the side of government, the medical profession, related businesses, and public interests. Consumer and patient advocates are critical of HIPAA for its numerous weaknesses. Here are some of the ways that patients' rights to privacy come up short:
Is everyone involved in my health care covered by HIPAA?No. The HIPAA Privacy Rule pertains to three categories of "covered entities" - health care providers, health plans, and health care clearinghouses.
An organization may also be what is called a hybrid entity. A hybrid entity provides health care as only part of its business. A large corporation that has a self-insured health plan for its employees is one example of a hybrid entity. Only the portion of the company that processes claims and makes payments to health care providers is subject to the HIPAA Privacy Rule. Who is not covered by the HIPAA Privacy Rule?Your medical information may be available to many who are not covered by HIPAA. Here are some examples of who is not covered.
Even though these institutions are not covered by HIPAA, they may get information from a covered entity. Is the Medical Information Bureau (MIB) a covered entity? No. The MIB is a membership organization made up of insurance companies. Because the MIB is neither a health care provider, health care plan, nor health care clearinghouse, it is not a covered entity. Most of MIB's members underwrite life and disability insurance, functions that are not covered by HIPAA.
What kind of information is covered by the HIPAA Privacy Rule?HIPAA covers any information about your past, present or future mental or physical health including information about payment for your care. To be covered by HIPAA, information has to be kept by a covered entity - a health care provider, health care plan, or health care clearinghouse. This, combined with some fact that identifies you (your name, address, telephone number, Social Security number) is called "protected health information" or PHI. PHI can be oral, handwritten, or entered into a computer. This means a conversation between a doctor and nurse about your condition has the same general protections as information written on your records. Are my child's (K-12) records of visits to the school nurse covered by HIPAA?No. Health records kept by schools are classified as "education records" covered by the Family Educational Rights and Privacy Act (FERPA). For more on FERPA and privacy of your child's education records, visit the US Department of Education web site, www.ed.gov/offices/OM /fpco/ferpa/index.html. Are there any limits on what can be disclosed from my medical file?The Privacy Rule incorporates what it calls a "minimum necessary" standard when it comes to how much information should be disclosed. Doctors, hospitals, and others covered by the HIPAA Privacy Rule are required to limit the amount of information disclosed to others to the minimum necessary to accomplish the intended purpose. What amounts to the minimum is left up to the health care provider, not you. And, the minimum necessary rule does not apply to information disclosed in connection with treatment. It also doesn't apply if you authorize the disclosure of your health information.
Your ability to control how your medical information is used falls generally into four different situations - along a continuum of no control to some control :
The HIPAA Privacy Rule makes a distinction between your "consent" and your "authorization." An authorization must be given on a separate document that sets out details of the disclosure. Consent, when required, is much less formal (discussed further below.) The HHS explains the difference between consent and authorization in the Question and Answer Section of the Agency's web site. To read the Agency's explanation, go to: www.hhs.gov/ocr/privacy/hipaa/faq/use/264.html. When can information be used without my consent? Consent for use of your information is not the same as consent for treatment. The HIPAA Privacy Rule does not change the general requirement that a health care provider needs your consent before treating you. A covered entity is allowed to seek your consent, and some state laws require patient consent for treatment, payment, and other disclosures. A covered entity is required to make a good faith effort to obtain your acknowledgment that you received a notice of privacy practices, but this is not the same as obtaining consent. Your consent is not required when your medical information is used for treatment, payment, or for health care operations (TPO). But it goes much further than that. Your consent is not necessary when your information is used by a business associate of your health care provider or plan. Services provided by a business associate can include: legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, and financial. These business relationships are established with a written contract. Your personal medical information can be used to carry on the business association, but you are not a party to the arrangement. Does HIPAA allow a provider to contract with a foreign business associate ? HIPAA makes no distinction between a U.S. business associate and one based in a foreign country. Of late, outsourcing services that involve the transfer of personal data offshore have been the subject of many press reports. Legislation has been introduced in Congress and some state legislatures to at least give consumers notice when medical data is sent offshore. For many Americans, outsourcing is most troubling when the services provided by a foreign company entail the use of highly sensitive medical and financial information. However, to date, there are no legal restrictions on outsourcing medical-related services. What does "health care operations" mean? Health care operations are not the same as business associate arrangements. Use of your medical information for purposes of carrying out operations does not require a written contract. Here are just some of the things that fall under the broad heading of operations:
Will I ever know how many people have seen my medical information? HIPAA requires safeguards to limit the number of people who have access to personal information. Given the number of people who may have access to your information just to run the operations and business of the health care provider or plan, there is no realistic way to count the number of people who may come across your records. If you are hospitalized, for example, hundreds of hospital employees may see your health information. When you add to this the number of instances listed below in which your medical information can be disclosed without your authorization, the numbers can be staggering. For an idea of how extensive routine disclosures can be, read "Health Privacy: The Way We Live Now" by Robert Gellman, reprinted on the Privacy Rights Clearinghouse web site, www.privacyrights.org/ar/gellman-med.htm. Can my PHI be disclosed without my authorization?The HIPAA Privacy Rule carves out many exceptions to your ability to authorize release of your "protected health information," including details that identify you . As discussed earlier, you don't have the right to consent or object when your information is used for treatment, payment, or operations, including disclosures to business associates of your health care provider or plan. Each of these exceptions places conditions on the covered entity that makes the decision to disclose. But, you are out of the loop. The flow of your medical information is beyond your control when the disclosure is made by a covered entity to or in connection with:
Further . . .
For more about disclosures in a law enforcement context, see the HHS response to a question on this topic at: www.hhs.gov/ocr/privacy/hipaa/faq/permitted/law/505.html Obviously, many of the disclosures listed above are made for the public good. Some disclosures are required by law. Who could argue, for example, with the need to alert public health officials to an outbreak of a deadly disease. And there is without a doubt a strong public interest in mandatory reporting of suspected child abuse. Each one of the disclosures listed above that can be made without the authorization of the subject carries with it a set of conditions. For a complete list of those conditions, you may want to look at §164.512 the Privacy Rule itself, http://edocket.access.gpo.gov/cfr_2002/octqtr/45cfr164.512.htm. Is my authorization ever required before my information can be disclosed ? HIPAA requires your specific authorization unless disclosure is not otherwise allowed. Special authorization requirements apply (1) when the disclosure involves psychotherapy notes and (2) when the disclosure is made for marketing. The Privacy Rule explains the procedure that must be followed to get your authorization. It states that you should not be denied treatment because you decide not to sign the authorization.
Following are some examples from the HHS web site of what is and is not considered marketing under the Privacy Rule: Examples of marketing communications requiring prior authorization:
It is not marketing and no authorization from you is required when :
The term "marketing" is one area that is likely to be debated by state legislators given states' authority to expand HIPAA privacy protections. Can I be denied treatment or coverage if I don't give my authorization? No. Treatment or health care coverage cannot be denied because you don't sign an authorization. Again, there are exceptions. If the authorization is for research-related treatment, you may not be allowed to participate in the research program without giving authorization to disclose your information. If authorization is requested from a health plan prior to the time you enroll and you refuse to give your authorization, you may not be allowed to enroll. Can I revoke my authorization? Yes, if you do so in writing and before any action is taken based on your authorization. Does a hospital need my authorization to include me in a directory? We explained above about two opportunities to authorize release of your personal data - psychotherapy notes and certain marketing situations. Another situation is created under HIPAA for "directory" information. Although your written authorization is not required as it is for marketing and psychotherapy notes, whether you are included in a hospital directory requires your consent. Again, note the HHS explanation of the difference between consent and authorization. www.hhs.gov/ocr/privacy/hipaa/faq/use/264.html That situation typically arises when you are admitted to the hospital. Hospitals routinely maintain directories, and inquiries are often made about a patient from a member of the clergy, the news media, family, and friends. If you are not in the directory, the hospital will not be able to tell visitors you are there, route phone calls, deliver flowers, and so on. Situations in which individuals are likely to want to limit the disclosure of directory information include: victims of domestic violence or stalking who need to safeguard their location, celebrities and other public officials who want their hospital stay kept private, and individuals who for whatever reason want to limit others' knowledge of their health condition. Under the HIPAA Privacy Rule, you must be given an opportunity to either agree or disagree to the disclosure of your directory information. When can I agree or disagree to having "directory" information about me disclosed? You should be given this choice as part of the admission procedure. The directory could include information about your location within the facility, your religious affiliation (disclosed to members of the clergy only), and your condition. An agreement to be included in a hospital directory may be made orally or in writing. You can restrict the kinds of information to be disclosed and to whom it is disclosed. In case of an emergency or another situation where you are not able to give your consent, your health care provider may use his or her professional judgment. In that case, you should be consulted later when you are able to make an informed choice.
Can I give consent or authorization for someone else? Yes, in some circumstances. The HIPAA Privacy Rule includes information on when you can act for another person or when someone can act for you. This might include times when you have a power of attorney, when you are the parent of a minor child or mentally retarded adult, or when you or someone else is acting in an emergency. For more on this, see the section on References below and the HHS website for the publication entitled "Personal Representatives," www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/personalrepresentatives.pdf What documents will I have to sign? The Privacy Rule includes only one situation where the consumer has to sign a document. As discussed above, a patient must sign an authorization form before health information can be disclosed for marketing or when psychotherapy notes are involved. It is also standard for a consumer to be asked to sign a form acknowledging that he or she has received a copy of the provider's privacy policy. However, the regulation says only that the covered entity must make a "good faith" effort to obtain a signed acknowledgement form. A signed acknowledgement means only that the consumer/patient was given a copy of a privacy notice. It does not mean (and should never state) that the consumer agrees with the policy. If the patient does not sign the acknowledgement, the covered entity is supposed to document the "good faith" effort. We have learned of instances where a covered entity has refused to provide services if the patient refuses to sign an acknowledgement. The Privacy Rule does not give the healthcare nstitution the right to deny service to a patient who refuses to sign a document acknowledging that they received a copy of the notice. Your ability to see your own medical records is probably the single most important right you have under HIPAA. Before HIPAA, your right to see or copy your medical records often depended on your state laws. Now, HIPAA sets the national standard, or ìfloor,î meaning that states can give you greater rights to access your medical information, but state laws cannot take away the fundamental access rights you have under HIPAA. Does HIPAA allow me to get my original records? No. HIPAA only gives you the right to get copies of your records. Or, if you choose, you can ask to see your medical records or ask for a summary of your medical file. Do I have to submit a written request for my medical records? HIPAA does not require a written request. However, if your provider requires a written request, you must be given notice of this. Some providers may have a form specifically for this purpose. Or, the provider's privacy policy should tell you how to request your medical records. Even if your doctor does not require a written request, it is always a good idea to put your request in writing. That way, you have a record of important details such as when you filed your request and the record you requested. For a sample letter to request a copy of your medical records, see www.privacyrights.org/Letters/medical2.htm. When will I get my records? Usually, you should get your copies within 30 days of the request. Under HIPAA, if the process takes more than 30 days, you must be given a reason. Your state law may give you the right to receive your records more quickly. In California, for example, you should be able to see your medical records within 5 days and get a copy within 15 days. For more on your rights to access under state laws, see http://hpi.georgetown.edu/privacy/records.html. Do I have to pay for copies of my medical records? Probably, yes. HIPAA says you can be charged a "reasonable, cost-based fee." This means you can be charged for supplies and staff time for copying your records. You can also be charged for mailing records, if mailing is what you request. But, you should not be charged for time spent searching for your records. Nor, should a provider have a policy of charging all patients a flat fee. Do I have to pay for a summary of my medical file? Yes, but you must agree to the fee in advance. Can I be denied access to my medical records? Yes, in a few circumstances. For example, you cannot access psychotherapy notes or information compiled for lawsuits. Your request can also be denied if the provider decides the information you want could reasonably endanger your life, your physical safety or that of another person. A written denial letter is usually required. In some cases, you can appeal a denial. If so, you should be given instructions on how to appeal in the written denial. Does HIPAA say medical records must be kept for a certain time? HIPAA does not include a record retention period. It does, however, allow you to request an accounting or report of who has accessed your records. This covers the six years prior to the date you request the accounting. Although HIPAA does not require that medical records be kept for a set time, many states have such laws. To find out what your state has to say about retention of medical records, see the following American Health Information Management Association (AHIMA) publication: http://library.ahima.org/xpedio/groups/public/documents/ahima/bok1_012547.pdf How do I correct inaccurate information in my medical records? You can ask for a correction of inaccurate information. You should make your request in writing. You should receive a written answer within 60 days. If your correction request is denied, you can note your disagreement in your file. My physician is no longer in practice. How do I find my records? The American Health Information Management Association, www.ahima.org, offers the following advice on how to locate records when your physician is no longer in practice: Even if your physician moved, retired, or died, his or her estate has an obligation to retain your records, including immunization records, for a period defined by federal and state law. Often this retention period is 10 years following your last visit (or until a child/patient is 21). You may be able to locate your records by contacting:
Since I am caring for my elderly parents, may I request their medical records? Generally, permission to access another person's medical records must come from the patient. The patient may designate a friend or relative to receive information related to care and treatment. Permission should be given in writing and filed with the care provider or facility. If the patient is incapacitated, you or another person may be appointed legal guardian by a court. Then, the legal guardian decides who has access to the patient's medical records. Is it possible to access medical records of a person who is deceased? HIPAA speaks of two instances that allow access to a deceased's medical files. One, the personal representative designated by a will or appointed by a court to settle the deceased's affairs may gain access to medical files. Second, a relative may receive medical information about the deceased if the information has a bearing on the relative's health. Do I have the right to see my child's medical records? Generally, yes. However, there are some exceptions:
Additional information about a minor child's health records can be found on the HHS web site at www.hhs.gov/ocr/privacy/hipaa/faq/personal/227.html. The Guttmacher Institute has a guide to state laws, "Minors and the Right to Consent to Health Care" available at www.guttmacher.org/pubs/tgr / 03/4/gr030404.pdf (2000). For many people, the ultimate worry is that an employer's access to information about health and treatment or even the possibility of future illness can affect employment. The way and extent to which the HIPAA Privacy Rule covers your health information in the workplace depends on the type of health coverage you have. The majority of people in the workforce who have health benefits associated with employment fall into one of two categories:
My employer sponsors a group health plan? Can my boss see my medical claims? HIPAA says that the group health plan can tell your employer whether you are enrolled in the plan or not. Your employer can also get from the group plan what is called "summary" information to use to obtain premium bids or changes in coverage. If the health information your employer receives goes beyond the basic summary, then HIPAA requires the employer to establish procedures much like that of a covered entity. HIPAA attempts to limit the use of medical information for employment purposes. My employer is self-insured. Does HIPAA guarantee my privacy? Under the HIPAA Privacy Rule, an employer that is also the insurer of health benefits is in a category called a "hybrid" entity. That means the portion of the company's operations that deal with processing health claims is a covered entity. Like any other covered entity, a "hybrid" function must (1) give notice of written privacy procedures, (2) place restrictions on the use of health information, and (3) appoint a privacy officer and train staff. Can my self-insured employer see my health claims?If you are the least bit concerned about the privacy of your medical information, the close relationship between your boss and the person who processes your health claims can send a chill down your spine.
HIPAA requires that "hybrid" entities such as self-insured employers erect "firewalls" between the portion of the company that handles the health claims and the portion that does not. However, the effectiveness of this procedure remains to be seen. My employer has an on-site health clinic. Is that covered by HIPAA? An on-site health clinic at your place of employment may be another example of what the HIPAA Privacy Rule calls a "hybrid" entity. This depends on whether the health clinic transmits information electronically and engages in standard transactions under HIPAA's electronic data interchange rule, for example, if the clinic bills an employee's health plan. If so, the records maintained by the health clinic are subject to the same protections that apply to other covered entities. Are all records related to my employment and my health subject to HIPAA? No. Records that relate to other employee benefits such as life insurance, disability, workers compensation, or long-term care insurance are not covered by HIPAA. Nor are records that relate to your employer's compliance with laws that govern safety and health risks in the workplace. I work in a hospital. Is my employment file covered by HIPAA? No. The Privacy Rule applies only to records maintained for treatment of patients. Records in your employment file are not covered. There are many situations when the government has the right or the legal obligation to see your medical records. State agencies must keep records of births and deaths as well as registries of people who have been diagnosed with serious illnesses such as cancer or HIV. Typically, disclosures to the government do not require your authorization. (See Section 4 for some examples of when government officials can see your medical records.) Many government-sponsored health programs such as those covering the military, veterans, and government employees are covered by the Privacy Rule. When personally identifiable health information is collected by the government, the federal Privacy Act also applies. HHS, a federal government agency, may have access to your health records in connection with an investigation. The agency's Office of Civil Rights (OCR) reviews complaints about privacy violations. You might complain to the OCR, for example, that your HMO refused to give you a copy of your medical records. Then, OCR could request a copy of your records from your HMO as part of its investigation. Does HIPAA create a government database of medical information? Following is quoted from the HHS web site on the subject of medical databases: To see the full answer to this question, go to: www.hhs.gov/ocr/privacy/hipaa/faq/permitted/rule/347.html. 9. Your Health Information and Your Credit Report Can my information be disclosed to a collection agency? Yes. When you put on that faded cotton gown and sit on the examining table, you are the patient. But, your role could change to many other things, including that of debtor. You visit your doctor and pay for health insurance premiums so that you are assured of care in an emergency or in case of an illness. But, your relationship is also a business arrangement. You are obligated to pay for any costs not covered by your health insurance. Remember : Your consent is not required to disclose information from your medical files if it is made in connection with payment. An unpaid bill, like any other debt claimed to be owed, may be reported to a collection agency. What's more, an unpaid medical bill can appear as a negative entry on your credit report. Information that can be disclosed to a collection agency about you includes:
A 2003 study by the Federal Reserve found that over half of all collections noted on credit reports were for unpaid medical bills, http://www.federalreserve.gov/pubs/bulletin/2003/0203lead.pdf. Can I dispute a medical bill? Unfortunately, the federal law that enables consumers to dispute billing errors does not apply to medical bills. The Fair Credit Billing Act only applies to credit card accounts and revolving charge accounts. But that does not mean that you cannot dispute billing errors. The medical billing and insurance claims processes can be complicated and confusing. Be sure to stay on top of your medical bills and dispute matters in writing with both the health provider and insurance company when you think errors have been made. Try to get the matter resolved before the debt is reported to a collection agency and/or to the credit reporting agencies (Experian, Equifax, TransUnion). If a medical debt is reported to a collection agency, you have rights given by credit and collection laws. Federal laws are the Fair Credit Reporting Act and the Fair Debt Collection Practices Act. State laws might also apply. For more information about your rights under these consumer protection laws:
Can an overdue medical bill appear on my credit report?
Yes. Unfortunately, even astronomical debt that stems from life-saving procedures is treated like any other debt. If neither you nor your insurer pay for the care, a medical debt can appear on your credit report. Not too long ago, a delinquent medical debt listed on your credit report might reveal not only the amount of the debt, but also the identity of the medical creditor. Needless to say, such a practice could reveal the nature of your illness or treatment as well. Now, thanks to changes in the Fair Credit Reporting Act, your credit report cannot reveal the name, address, or telephone number of a medical creditor—unless the information is in code. For more on the medical privacy changes adopted under the Fair and Accurate Credit Reporting Act (FACTA), see PRC Fact Sheet 6a, FACTA, The Fair and Accurate Credit Transactions Act: Consumers Win Some, Lose Some, www.privacyrights.org/fs/fs6a-facta.htm#7 .
Can my health care provider check my credit report and credit score? If you owe money for unpaid medical bills, the provider or the provider’s debt collector, like any other creditor, can check your credit report. From this the provider or collector might learn, for example, that you have the ability to pay from untapped lines of credit on your home equity loan or credit card. And, like any other creditor, a health provider could report an overdue account to your credit report. A provider might also check your credit report if you are applying for free or discounted medical services. Again, based on information in your credit report, the provider might decide that you are not entitled to free or discounted services because you have assets or available credit.
I read a news article about medical "scores." What is that? News articles in early 2008 reported on the development of a medical scoring system that would rate your risk of not paying a medical bill. Under this scheme, your risk analysis would be based on your past payment history of medical bills. Such systems, dubbed “MedFICO” and sometimes called a “wallet biopsy,” should not stop you from getting treatment in an emergency situation. If ever widely used, however, such medical scoring systems could force patients to exhaust all resources, such as retirement accounts or home equity credit lines to pay for needed health care. Widespread use of a medical scoring system could also create significantly more trouble for victims of medical identity theft. This type of identity theft occurs when someone uses your identifying information to receive health care or for the payment of insurance benefits for the payment of health care. For more on medical identity theft, see the World Privacy Forum’s Identity Theft Information Page, at www.worldprivacyforum.org/medicalidentitytheft.html.
HIPAA touches nearly every aspect of modern medicine. Privacy in the hotly debated issues of medical research and genetic testing are beyond the scope of this guide. For more information on these topics, see the HHS web site and the References Section at the end of this guide. But HIPAA also touches on privacy in small ways like routine office visits, prescription refills, and messages left on voice mail systems. This is a partial list of day-to-day situations where HIPAA comes into play:
To find out what HHS has to say about routine situations, conduct your own keyword search of the agency’s Frequently Asked Questions Section at: www.hhs.gov/ocr/privacy/hipaa/faq/index.html. Rumors and gossip about medical conditions or treatment are a concern to many people. This is particularly true in small communities where neighbors, friends, and former in-laws might work at the only hospital in town. Under HIPAA, access to sensitive medical information should be limited to those who have a need to know. However, no system can ever stop gossip. If you find that any of your sensitive medical information is disclosed through the grapevine, you should not hesitate to report it to the health care service and file a complaint with the HHS. Health care providers must pay attention to accidental disclosures through routine conversation. A doctor, nurse, or technician may violate the HIPAA Rule simply by saying to a third party that they saw a particular individual at the clinic last week. That statement discloses that the individual is a patient who sought care, and both of those facts are "protected health information" (PHI) under HIPAA. The disclosure might be particularly sensitive if the physician is a psychiatrist, but the same policy applies to family practitioners, pharmacists, and dental hygienists too. What can I do if someone violates the HIPAA Privacy Rule?You don’t have the right to sue under HIPAA. The most you can do is file a complaint. The privacy notice you receive from your health care provider or plan is required to tell you how to file a complaint within the organization. Every HIPAA covered entity must have a designated privacy officer. The notice should also tell you how to contact the HHS Office of Civil Rights. This is the government office charged with enforcing the Privacy Rule. Even though the HIPAA Privacy Rule does not give you the right to sue, other federal or state laws or regulations might give you the right to bring an action in court for violations of your privacy. If you feel your rights have been violated, you may want to discuss the situation with an attorney.
For more on health privacy provisions of the 2009 Stimulus Law, see World Privacy Forum’s analysis of the American Recovery and Reinvestment Act of 2009, http://bobgellman.com/rg-docs/Stimulus-Privacy-HIPAA-Analysis.pdf. For a summary of the health information technology provisions of the Stimulus Law, see the American Medical Association (AMA) publication at: www.ama-assn.org/ama1/pub/upload/mm/399/arra-hit-provisions.pdf For a summary of the privacy provisions of the Stimulus Law, see the of the AMA publication at: www.ama-assn.org/ama1/pub/upload/mm/399/arra-privacy-provisions.pdf Also see Part 14 of this guide. What happens after I complain?The HHS may decide to investigate and/or try to resolve the issue informally. A person or organization that is obliged to follow the Privacy Rule may face a civil fine of up to $25,000, recently raised to a maximum of $50,000. In extreme cases, the U.S. Department of Justice (DOJ) may be called in to conduct a criminal investigation. If the DOJ becomes involved, violators could face a jail term of up to 10 years and a fine of up to $250,000. Privacy and data security go hand in hand. So far, this guide has looked at the HIPAA Privacy Rule, explaining what you can and cannot do to protect your sensitive medical files. Another regulation, also published by the Department of Health and Human Services, describes what "covered entities" must do to make sure your medical files are secure. The Security Rule took effect April 20, 2005, for larger entities, with a one year delay for health plans having annual receipts of $5 million or less. Do I have a role in the HIPAA Security Rule? Patients receive notice about privacy practices, but data security operates behind the scenes, out of your hands. Still the Security Rule is important to patients because, like the Privacy Rule, it creates a national standard. This means that all health care providers, health plans, and health care clearinghouses that transmit information electronically must adopt a data security plan. Does the Security Rule protect all my health records? Only health information maintained or transmitted in electronic format is covered by the Security Rule. Paper records stored in filing cabinets are not subject to the security standards imposed by the HHS. What does the Security Rule require of covered entities? The Security Rule, according to the HHS, was designed to be flexible, establishing a security framework for small practices as well as large institutions. All covered entities must have a written security plan. The HHS identifies three components as necessary for the security plan.
Each of the three major categories has a number of subcategories. Some things must be included in the security plan while other factors are "addressable," that is items that may be considered and adopted if suitable to the covered entity's size and organization. However, provisions in the 2009 Stimulus Law may soon bring stepped up enforcement of HIPAA’s privacy and security provisions. For example, state attorneys general are now authorized to file enforcement cases in federal district court. Penalties for violations have been substantially increased. And, periodic audits by HHS are now mandatory rather than discretionary as once was the case. To learn more about the changes brought about by the 2009 Stimulus Law, see Part 14 of this guide. Does the Security Rule address proper disposal of medical information? Not directly. However, HHS has issued guidelines related to disposal. Although the guidelines do not require a certain disposal method, it is clear that casual disposal such as in a dumpster is a a HIPAA violation. In February 2009 HHS fined giant pharmacy chain CVS $2.25 million for failing to properly protect information through the disposal process.
Will I be notified about a security breach? The Security Rule adopted in 2005 did not require notice. However, notice might nonetheless be required by state laws that apply generally to a variety of industries, including health care providers. California, for example, has had such a law in place since 2003.. This means a HIPAA covered entity’s breach event that took place in California after 2003 could have triggered a notice even though notice was not required by the HIPAA Security Rule. And as of January 1, 2009, California residents have an absolute right to notice of a health information breach. For more on California's general security breach law, see the “privacy laws” section in the web site of the California Office of Privacy Protection, www.oispp.ca.gov/consumer_privacy/default.asp. • For the complete text of the HIPAA Security Rule, see www.cms.hhs.gov/hipaa/hipaa2/regulations/security/03-3877.pdf In addition, effective January 1, 2009, California law imposes new security standards for health information. Now both state officials and the individual concerned must be notified within five days of a breach of health care information. The new law applies not only to health care providers that are subject to HIPAA but also to such other health facilities as health clinics, home health agencies and hospices. To learn more about recent changes to California law, visit the web site for the newly created state agency, the California Office of Health Information Integrity, www.ohi.ca.gov/calohi/Home/tabid/36/Default.aspx A number of other states have also adopted laws requiring a notice to individuals. To find out whether your state has such a law, visit the web site for the organization Patient Privacy Rights. www.patientprivacyrights.org/site/PageServer?pagename=statelaws#AL. 13. Electronic Health Records (EHRs) Is my health information stored in electronic format? Almost certainly some, or at least major portions of your health information, is kept in electronic format. In fact, to be covered by HIPAA at all means that protected health information is transmitted electronically, usually between a healthcare provider and a health benefit plan. Even small medical practices are moving away from paper records. If your provider is a Health Maintenance Organization (HMO) or you have had a hospital stay, your medical information is likely to be accessed through computers accessible to various departments throughout the facility. In addition, some employers have established an internal electronic network of health data. Is there a national database of medical records? Not yet. But, that is the plan. In 2004 President Bush issued an Executive Order that requires the Department of Health and Human Services (HHS) to study and develop a national health information network (NHIN). With a ten-year deadline, the task of overseeing the system has been left to a newly created HHS Office, The Office of the National Coordinator for Health Information Technology, http://healthit.hhs.gov/portal/server.pt In addition, the 2009 Stimulus Law signed by President Obama calls for a system of electonic health records by 2014. The bill allocates up to $19 billion to implement adoption of the system. For more on the 2009 Stimulus Law, see Part 14 of this guide. While the NHIN is not likely to be a reality for some time, many state governments have appointed boards and task forces to study the issue. The first step will be a regional network, combining electronic health records from a number of unrelated sources. The next step will be to combine the regional networks to create a statewide network. Ultimately, the state systems will feed into the national network so that health records are available nationwideóeven worldwide. See, for example, the CalRHIO project, www.calrhio.org.
Is an electronic health record (EHR) the same as a personal health record (PHR)? No. EHR refers to a system of electronically stored health records maintained by health care providers. PHR, on the other hand, refers to personal health records stored on web-based systems, often created and maintained by patients themselves. Some PHR systems are offered by health care providers such as hospitals. But, many commercial vendors also offer web-based PHR systems that allow individuals to store health care information. For more on PHRs, see:
If you followed the 2008 Presidential campaign, you know that the need for electronic health records was frequently mentioned as a national priority. Not surprising then, the Stimulus Law, signed by President Obama on February 17, 2009, includes a section on health information technology and privacy. The law allots at least $19 billion to meet the goal of electronic health records for all Americans by 2014. It also calls for a number of changes to the federal medical privacy rule, commonly known as HIPAA. This federal rule is governed by the U.S. Department of Health and Human Services (HHS). Following are some highlights of the legislation:
Also see the American Medical Association Web site for a complete list of health-related provisions included in the 2009 Stimulus legislation. www.ama-assn.org/ama/pub/advocacy/current-topics-advocacy/hr1-stimulus-summary.shtml and the analysis by the American Health Information Management Association at: www.ahima.org/dc/documents/AnalysisofARRAPrivacy-fin-3-2009a.pdf
15. Health Information Privacy in California As of January 1, 2009, privacy and security standards reached a new level for California residents. Two laws (AB 211 and SB 541) which were signed by the Governor in September of 2008 combine to give Californians rights that significantly exceed those granted by HIPAA.
For an extensive list of health providers and health facilities obligated to protect health information under the new California law, see Frequently Asked Questions (FAQ) on the web site of the newly created California Office of Health Information Integrity (CALOHI), www.ohi.ca.gov/calohi/MedicalPrivacyEnforcement/FAQs/tabid/158/Default.aspx#two.
Where do I go to complain about a violation of California law?
For more details on filing a complaint with CALOHI, see: www.ohi.ca.gov/calohi/MedicalPrivacyEnforcement/FAQs/tabid/158/Default.aspx#two. 16. Tips for Safeguarding Your Medical Information In reading this guide about the HIPAA Privacy Rule, you may have rightly concluded that your ability to control the flow of your sensitive medical information is limited. Still, the more you know, the better able you are to maximize the privacy you have left.
Filing Complaints under HIPAA
State Laws and Health Privacy
The Patient as Consumer - Credit and Collection Laws
Sample Letter for Requesting Copy of Medical FilesWorld Privacy Forum
Patient Privacy Rights Health Privacy ProjectAmerican Health Information Management Association (AHIMA)
U.S. Department of Health and Human Services (HHS) web site on HIPAA
|
| Copyright © . Privacy Rights Clearinghouse/UCAN. For distribution of this fact sheet, see our copyright and reprint guidelines. The PRC does not allow any of its documents to be posted on other web sites. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse. This fact sheet should be used as an information source and not as legal advice. PRC fact sheets contain information about federal laws as well as some California-specific information. Laws in other states may vary. Overall, our fact sheets are applicable to consumers nationwide. This publication was originally developed under the auspices of the University of San Diego. Privacy Rights Clearinghouse, 3100 - 5th Ave., Suite B, San Diego, CA 92103. Web: www.privacyrights.org |
