As a healthcare provider, you are ethically and legally bound to protect the medical information of your patients. Proper management of this information can be challenging.
Rules regarding how you obtain, use and transmit personal healthcare information are laid out in the Health Insurance Portability and Accountability Act. Specifically, you should pay attention to the Privacy Rule.
HIPAA was the first piece of legislation designed to protect patient information. The law limits who may access patient information and how they can use it. It applies to written, electronic and oral communication. Generally, healthcare providers may only use patient information for providing treatment, obtaining payment, or improving the quality of their service.
Most importantly, HIPAA created criminal and civil penalties for mishandling or improperly disclosing information. This has gone a long way to incentivize healthcare providers to maintain careful controls.
Who Must Abide by HIPAA Regulations?
Persons and organizations that must abide by HIPAA regulations are called “covered entities.” They include the following groups.
- Healthcare providers – Doctors, hospitals, clinics, therapists, psychologists, chiropractors, pharmacies, dentists, nursing homes, rehab centers, nutritionists, naturopaths, and anyone else who handles health records.
- Health plans – HMOs, insurance companies, employer health plans, and government programs that deal with health or health-related billing information.
- Healthcare clearinghouses – Anyone who processes healthcare information they receive from another entity.
- Business associates – Anyone who handles healthcare information as a function of serving a healthcare organization. This includes contractors, lawyers, accountants, IT specialists, companies that destroy medical records, billing services, software providers, etc.
Not everyone who comes in contact with your medical records is required to follow HIPAA regulations, however. This includes employers, school districts, life insurers, law enforcement agencies, municipal offices, and certain state agencies.
Patients’ Privacy Rights
Honoring your patients’ rights is absolutely paramount. Penalties for noncompliance can reach as high as $50,000 per violation and ten years imprisonment.
Your patients have the following rights regarding their medical information privacy.
1. The Right to Receive Notice of Privacy Practices
Your patients have the right to understand how you will use their healthcare information. Most providers give out a generic notice at the beginning of any patient relationship and post is somewhere in their office. If you don’t, you must provide one if a patient requests.
The privacy notice must describe the HIPAA Privacy Rule (how you may share the information and that you’ll ask for consent for other purposes), explain the patient’s rights, and tell the patient how to file a complaint with the Department of Health and Human Services.
2. The Right to Access and Request Copies of Medical Records
Under HIPAA, patients have the right to view and receive copies of their health information. They do not have rights to obtain the original versions. This applies to electronic records as well. The patient may request a specific format (such as an emailed PDF or a CD). You must comply if the data is available in that format. If not, they must agree on another format or you must produce a physical copy.
Patients can also request that access be given to another person. This other person is usually a relative, another doctor, or an attorney. Have the patient send a written request that identifies the receiving party, the records to be sent, and the address to send them.
HIPAA allows you to charge “reasonable, cost-based fees” to receive medical records. These fees can cover the cost of supplies, staff time for processing, and mailing fees. (Some state laws further limit this provision, so check with your state.)
Patients must receive their requested records within 30 days. You can extend this period an additional month as long as you notify the patient of the reason for the delay and they date they can expect their information.
In limited cases, you can deny a patient’s request for their medical information. For instance, patients do not have the right to view a therapist’s notes or any information you collect that regards to legal proceedings. The patient must receive a written denial letter, which they may be able to appeal. In other cases, patients may not appeal a denial.
3. The Right to Amend Medical Records
Patients may submit a written request to have medical records amended if they feel the information is inaccurate. You have 60 days to respond (with an additional 30 if you reply with a written explanation and target date).
You may deny the request as long as you include the reason for the denial (perhaps you didn’t create the record, the record is accurate, or the individual does not have the right to access the information). You also must include a statement that makes the person aware they can request to have their amendment request and your denial included with all future disclosures, and how they can complain to the Department of Health and Human Services.
4. The Right to Access a Child’s Medical Records
Naturally, parents have the right to see the medical records of their minor children. The parent acts as the child’s personal representative. A parent may not access a child’s records in a few situations:
- The parent agrees that the minor may have a confidential relationship with you.
- A court (or person assigned by the court) orders a minor to obtain healthcare.
- The child consents to care and the law does not require additional parental consent.
The Guttmacher Institute has a detailed guide regarding children’s medical records and state law.
You may not disclose information to schools without a parent’s written authorization. The only exception pertains to immunization records. To protect other students, schools are entitled to know the immunization status of each student.
Medical records in school files are not covered by HIPAA regulations. They are governed by the Family Education Rights and Privacy Act.
5. The Right to Make Special Privacy Requests
You must allow patients to make special requests regarding their privacy. Keep a signed copy of the privacy request at all times.
You aren’t obligated to comply with the patient’s request. But if you do agree to it, you aren’t allowed to change your mind later. You must continue to comply unless you have to violate the request to provide emergency care. You are also not obligated to notify other healthcare providers of the patient’s request, but you are encouraged to do so (or at least inform the patient that they must).
You must accommodate requests for patients to receive communications by alternative means or at alternative locations. For instance, a patient may insist you contact him/her using an alternate mailing address or a special phone line. You must comply with these requests.
If a patient requests to pay out of pocket for their treatment so as to not have medical information disclosed (say, to an insurance company), you must comply (as long as you don’t have a legal requirement to disclose it).
6. The Right to an Accounting of Disclosures
At any time, a patient may request a list of anyone you have sent their healthcare records to in the last six years. It must include any healthcare organizations or business associates you have passed personal information to. You have 30 days to respond with an additional 30 days if you reply with an explanation for the delay and a target date.
The accounting must include the date of the disclosure, name of the entity who received the information, a description of the information, and a statement of the purpose of the disclosure. It does not have to include disclosures regarding payment, healthcare operations, disclosures the patient authorized, disclosures to law enforcement, or disclosures to the patient.
One accounting each year must be free of charge for the patient. Additional accountings in the same year can be subject to a cost-based fee, as long as you make the patient aware of the fee in advance.
Making Common Mistakes
Healthcare providers accidentally violate privacy regulations in the following ways.
- Transmitting information through unsecured electronic methods.
- Faxing prohibited information (sexual assault counseling, HIV test results, and others).
- Cutting corners when you’re busy (ex. failing to shred a document before throwing it away).
- Discussing patient information in a public place.
- Distributing patient information to family members or friends without the patient’s consent.
- Accessing information you don’t “need-to-know” (even if you can access it, you shouldn’t unless you need it).
Patients who are upset with how you handle their privacy may complain to the Department of Health and Human Services. Depending on the veracity and seriousness of the complaint, DHHS may investigate your practice. That’s a hassle you don’t need.
If you have specific questions about your healthcare practice, learn more from the U.S. Department of Health and Human Services website.