Medical Privacy—The HIPAA Privacy Rule
A new medical rule has been made to keep privacy when it comes to your medical records. Even with marriage today, under the Privacy Rule, your spouse can not obtain any medical information on your behalf unless you sign a consent form. The Privacy Rule will not interfere with the care you receive from your doctor. It is the patient’s responsibility, along with the covered entities to know your rights. Knowledge is power.
With the growing number people seeking health care, be it for physical or mental issues, the patient should feel secure that his/her information is being protected. A visit with your doctor should be held confidential and you should feel that you can trust your doctor with any concern you may have.
Patients should feel that their medical information is secure and that no one can obtain their personal information without strict guidelines. The “Privacy Rule”, is a set of standards that protects certain health information.
The U.S. Department of Health and Human Services (“HHS”) is the entity that created the HIPAA Rule. The Privacy Rule addresses the disclosure and use of the patients’ medical information, which is called “protected health information”. Under the HIPAA the patient has control of their individual privacy rights and to understand and control how their health information is used. (Pub. L. 104-191).
The Privacy Rule was designed to protect patient’s health information while some of your health information when needed, would provide high quality care and at the same time protect the well being of the public’s health. The Rule has been made to be flexible and to cover many uses and disclosures the need to be addressed. The entire Rule and additional information can be found at http://www.hhs.gov/ocr/hippa.
Health plans, health care clearinghouses and any health care provider who transmits health information in electronic form in connection with transactions for which the Secretary of HHS has adopted the standard under HIPAA (the “covered entities”) which all have to follow the Administrative Simplification rule. To see if you fall under this rule you can obtain a copy at http://cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp.
There are exceptions-patients main principal purpose like paying the cost of health care, such as food stamp program; and programs activities that directly provide health care, such as the community health center, or grants that fund the direct provision of the patient’s health care.
All “individual identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media whether electronic, paper or oral is covered by the Privacy Rule. The Privacy Rule calls this information “protected health information” (PHI). (45 (C.F.R. 160.103.)
“Individually identifiable health information” covers information, including demographic data that applies to:
Patient’s present, past, or future physical or mental health.
Patient’s health care provisions.
Patients payments from present, past or future care.
and includes a reasonable basis to the patient’s identity. (45 C.F.R. 160.103). Common identifiers could include (name, address, and Social Security).
“According to the Family Educational Rights and Privacy Act, 20 W.S.C 1232g”, protected health information like employment records and covered entities maintain its capacity as an employer and education and certain records are excluded from the Privacy Rule.
Covered entities may not use or disclose protected health information except when: it requires or permits the Privacy Rule; or when the patient or the patients representative authorizes it in writing. The reason that we have the Privacy Rule is to limit the reasons in which a patient’s protected health information may be used or disclosed by a covered entity.
There are only two situations that a covered entity must disclose protected health information: a patient or the personal representative when they ask access to or accounting of disclosure for their protected health information; and to HHS when they are enforcing action or undertaking a compliance investigation or review.
A covered entity is permitted to disclose or use protected health information, without a patient’s authorization for the following: (1) Directly to the patient (accounting of disclosures); (2) Payment, Treatment, or Health Care Operations; (3) Object or Agree to an Opportunity; (4) Permitted and disclosure due to an incident; (5) Benefit Activities or Public Interest (6) Research, public health or health care operations, which are limited data sets. Professional ethics and covered entities may rely on and use their best judgments when deciding which of those are permissive and what disclosures to make.
Covered entities may use and disclose protected health information as long as it’s for their own treatment, payment, and activities that involve health care.
Information can be released to a covered entity and may disclose protected health information to the patient, as long as the patient was the subject of the information.
Many patients use disclosures of psychotherapy notes for health care operations purposes, treatment and payments. For these purposes they require an authorization. Getting “consent” (written permission from the patient to disclose and use their protected health information for health care operations, treatment, and payment) is up to the covered entities under the Privacy Rule.
There are 12 national priority purposes 45 C.F.R. 164.512 that allows disclosure and use of protected health information, without a patient’s authorization. The Rule in recognition of the important use of health information outside the health care context. Certain conditions or limitations are used to each public interest purpose. The balance between the patient’s privacy interest and the pubic interest are in need of this information.
The covered entities may use and disclose protected health information without the patients authorization as required by law (including by statue, regulations, or court orders.) 45 C.FD.R. 164.5149(e).
Entities that are covered may disclose protected health information to: (1) government authorities are authorized to receive reports of child abuse or neglect, information for preventing and controlling disease, injury or disability; (2) entities that are subjected to the FDA regulations regarding products or activities for event reporting, product tracking, product recalls, and post-marketing surveillance; (3) when an individual may have contracted or been exposed to a communicable disease when it needs to be reported to the law; (4) employers, needing information for their employees requested by employers, for information concerning a work-related illness or injury or work related medical surveillance. This information is needed by the employer to comply with the Occupational Safety and Health Administration (OHSA) 45 C.F.R. 164.512(b) and Mine Safety and Health Administration (MHSA), or by state law.
Information can be disclosed to the appropriate government authorities regarding victims of abuse, neglect, or domestic violence. 45 .C.F.R. 164.512 (a), (c). If a subpoena or other lawful process assurance regarding notice to the patient or a protective order is provided the covered entities may disclose protected health information in a judicial or administrative proceeding as long as the request for the information is done through a court order or administrative tribunal.
There are six certain times that a covered entity may disclose protected health information to law enforcement official for law enforcement purposes; (1) court orders, court-ordered warrants, subpoenas and administrative requests; (2) to locate a missing person, material witness, suspect or fugitive; (3) law enforcement official’s request for information about a suspected victim of a crime; (4) if the covered entity needs to alert law enforcement of a person’s death or suspect that criminal activity caused death; (5) protected health information is evidence of a crime that happened on its premises; and (6) when necessary to inform law enforcement about the commission and nature of a crime, the location of the crime or victims, and the perpetrator of the crime, when a medical emergency did not occur on its premises.C.F.R. 164.5129(f)
Disclosure can be made by covered entities about protected information they believe is necessary to lessen or prevent a serious or imminent threat to a person or the public. They can also disclose to law enforcement if the information is needed to identify or apprehend a violent criminal or apprehend an escapee.45 C.F.R. 164.512(j)
For certain government functions an authorization is not required. Such functions include: execution of a military mission, doing intelligence and national security activities that are authorized by law, protecting the U.S. President, determinations of medical suitability for State Department employees, employees and inmates in a correctional institution for protecting the health and safety, enrollment in certain government benefit programs. 45 C.F.R. 164.512(k).
The Privacy Rule stated that any covered entity must have the patient’s written authorization for use or disclosure of protected health information that is not for health are operations, payment or treatment. Except in limited circumstances, a covered entity may not change treatment, payment or enrollment or benefits eligibility on a patient granting an authorization. 45 C.F.R. 508(b) (4)
Authorizations must be in good language, and show specific information regarding the information to be disclosed or used, the person disclosing and receiving the information, expiration, right to revoke in writing and other data.
“Minimum necessary” is a main part of the Privacy Rule. When requesting information the covered entity must make reasonable efforts to use, disclose, and ask for only the minimum amount of protected health information needed to accomplish for the intended purpose of the use, disclosure, or request. When the minimum standard is applied to disclosure or use, a covered entity may not use, disclose, or request the entire medical record for a particular purpose, unless they can prove the whole record is reasonably needed.
A person that knowingly obtains or discloses a patient’s identifiable health information is in violation of the HIPAA faxes a fine of %50,000 and up to one-year imprisonment. (Pub. L. 104-191; 42 U.S.C. 1320d-6). If the conduct involves false pretenses the penalties increase to $100,000 and up to five years imprisonment. Intent to sell transfer or use identifiable health information for commercial advantage, personal gain or malicious harm can receive a fine up to $250,000 and up to ten years imprisonment. The Department of Justice will enforce criminal sanctions.(Pub. L. 104-191; 42 U.S.C. 1320d-5).
To ensure that you are visiting your doctor with strict confenduality you can rely on the HIPAA Privacy Rule. The patient’s have many rights as do covered entities. You can read about all the laws concerning your privacy at: http://www.hhs.gov/ocr/hipaa.
There are many good things under the Privacy Rule that protect the patient’s confidential health records. You can feel that at your doctor’s visit, you can tell the truth and be honest about any issues knowing that your information will go no further than his/her office. There are certain conditions that covered entities can obtain your medical records with out your permission and you will need to cooperate with them. It would be a good investment to understand the Privacy Rule and how it affects you.