Understanding Your Patients’ Privacy Rights
As a healthcare provider, you are ethically and legally bound to protect your patients’ privacy rights (such as their medical information). Proper management of this information can be challenging.
Rules regarding how you obtain, use, and transmit personal healthcare information are laid out in the Health Insurance Portability and Accountability Act. Specifically, you should pay attention to the Privacy Rule.
HIPAA was the first piece of legislation designed to protect patient information. The law limits who may access patient information and how they can use it. It applies to written, electronic, and oral communication. Generally, healthcare providers may only use patients’ data to provide treatment, obtain payment, or improve service quality.
Most importantly, HIPAA created criminal and civil penalties for mishandling or improperly disclosing information. HIPAA fines have gone a long way to incentivize healthcare providers to maintain careful controls.
Who Must Abide by HIPAA Regulations?
Persons and organizations that must abide by HIPAA regulations are called covered entities. They include the following groups.
- Healthcare providers: Doctors, hospitals, clinics, therapists, psychologists, chiropractors, pharmacies, dentists, nursing homes, rehab centers, nutritionists, naturopaths, and other health workers who handle health records.
- Health plans: HMOs, insurance companies, employer health plans, and government programs that deal with health or health-related billing information.
- Healthcare clearinghouses: Anyone who processes healthcare information they receive from another entity.
- Business associates: Anyone who handles healthcare information as a function of serving a healthcare organization, including contractors, lawyers, accountants, IT specialists, companies that destroy medical records, billing services, software providers, etc.
However, not everyone who handles your medical records is required to follow HIPAA regulations. Employers, school districts, life insurers, law enforcement agencies, municipal offices, and certain state agencies don’t have to follow HIPAA laws.
What information is included in patients’ privacy rights?
Honoring your patients’ rights is paramount. Penalties for noncompliance can cost as much as $50,000 per violation and ten years imprisonment.
Your patients have the following rights regarding their medical information privacy.
1. The Right to Receive Notice of Privacy Practices
Your patients have the right to understand how you will use their healthcare information. Most providers give a generic notice at the beginning of any patient relationship and post it somewhere in their office. If you don’t, you must provide one if a patient requests.
The privacy notice must describe the HIPAA Privacy Rule (how you may share the information and that you’ll ask for consent for other purposes), explain the patient’s rights, and tell the patient how to file a complaint with the Department of Health and Human Services.
2. The Right to Access and Request Copies of Medical Records
Under HIPAA, patients have the right to view and receive copies of their health information. However, they do not have the right to obtain the original versions, including electronic records. The patient may request a specific format (such as an emailed PDF). You must comply if the data is available in that format. If not, they must agree on another form, or you must produce a physical copy.
Patients can also request to grant access to another person. Third-party access usually includes a relative, another doctor, or an attorney. Have the patient send a written request that identifies the receiving party, the records to be sent, and the address to send them.
HIPAA allows you to charge “reasonable, cost-based fees” to receive medical records. These fees may cover the cost of supplies, staff time for processing, and mailing fees. Note: Some state laws further limit this provision.
Patients must receive their requested records within 30 days. You can extend this period an additional month as long as you notify the patient of the reason for the delay and the date they can expect their information.
In limited cases, you can deny a patient’s request for medical information. For instance, patients do not have the right to view a therapist’s notes or any information regarding legal proceedings. The patient must receive a written denial letter, which they may be able to appeal. In other cases, patients may not appeal a denial.
3. The Right to Amend Medical Records
Patients may submit a written request to amend medical records if they feel the information is inaccurate. You have 60 days to respond (with an additional 30 if you reply with a written explanation and target date).
You may deny the request as long as you include the reason for the denial (perhaps you didn’t create the record, the record is accurate, or the individual does not have the right to access the information). You also must include a statement that makes the person aware they can request to have their amendment request and your denial included with all future disclosures and how they can submit complaints to the Department of Health and Human Services.
4. The Right to Access a Child’s Medical Records
Naturally, parents have the right to see the medical records of their minor children. The parent acts as the child’s representative. A parent may not access a child’s records in the following situations:
- The parent agrees that the minor may have a confidential relationship with you.
- A court (or person assigned by the court) orders a minor to obtain healthcare.
- The child consents to care, and the law does not require additional parental consent.
You may not disclose information to schools without a parent’s written authorization. The only exception pertains to immunization records. Schools are entitled to know each student’s immunization status to protect all students better.
HIPAA regulations do not cover medical records in school files. They are governed by the Family Education Rights and Privacy Act.
5. The Right to Make Special Privacy Requests
You must allow patients to make special requests regarding their privacy. Keep a signed copy of the privacy request at all times.
You aren’t obligated to comply with all patient requests. But if you agree to a request, you aren’t allowed to change your mind later. You must continue to comply unless you have to violate the request to provide emergency care. You are also not obligated to notify other healthcare providers of the patient’s request, but you are encouraged to do so (or at least encourage the patient to do so).
You must accommodate requests for patients to receive communications by alternative means or at alternative locations. For instance, a patient may insist you contact them using an alternate mailing address or a particular phone line. You must comply with these requests.
If a patient requests to pay out of pocket for their treatment to avoid disclosing medical information (say, to an insurance company), you must comply (as long as you don’t have a legal requirement to disclose it).
6. The Right to an Accounting of Disclosures
At any time, a patient may request a list of anyone you have sent their healthcare records to in the last six years. It must include any healthcare organizations or business associates with whom you have shared the patient’s PHI. You have 30 days to respond with an additional 30 days if you reply with an explanation for the delay and a target date.
The accounting must include the following: date of the disclosure, name of the entity that received the information, and statement of the purpose of the disclosure.
It does not have to include disclosures regarding payment, healthcare operations, the patient authorized, or disclosures to law enforcement or the patient.
One accounting each year must be free of charge for the patient. Additional accountings in the same year can be subject to a cost-based fee if you inform the patient of the cost in advance.
Mishandling patient information can cost you serious fines and even prison time.
View our free resource that asks important questions to ensure you are respecting patient privacy.
Making Common Mistakes
Healthcare providers accidentally violate privacy regulations in the following ways.
- Transmitting information through unsecured electronic methods.
- Faxing prohibited information (sexual assault counseling, HIV test results, and others).
- Cutting corners when you’re busy (ex. failing to shred a document before throwing it away).
- Discussing patient information in a public place.
- Distributing patient information with the patient’s family members or friends without the patient’s consent.
- Accessing information you don’t “need to know” (even if you can access it, you shouldn’t unless you need it).
Patients upset with how you handle their privacy may complain to the Department of Health and Human Services. Depending on the seriousness of the complaint, DHHS may investigate your practice. That’s a hassle you don’t need.
If you have specific questions about your healthcare practice, learn more from the U.S. Department of Health and Human Services website.