Background and Intent of the Law
The Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to lay down a common set of standards and accessibility for electronic medical records. Given the extent of information exchange required between patients and primary health care institutions, on one hand, and public and private insurers on the other, the explicit goal of HIPAA was to enhance accomplishment toward full electronic data interchange (EDI). However, efficient recording and transmittal of essentially private information over the Internet and even proprietary networks posed a threat to the individual right to privacy of health and treatment information.
Patient Access to Own Medical Records
The health information privacy provisions of HIPAA explicitly expand patient access to their own information. For the first time, consumers could file a request to see a copy of their health records, have corrections made, be notified about EMR end-uses and who it is shared with, approve such proposed end-use and sharing if desired, and receive information on the circumstances when health information was shared (U.S. Department of Health & Human Services, n.d.). If convinced that their privacy rights were violated, consumers can file a complaint with either their insurer or health care provider, both of which must respond, if the patient is still not satisfied, with options for proceeding to the government for help.
Complaints may be filed with the Office for Civil Rights (OCR, under HHS). The procedure calls for filing complaints in writing and transmittal by post, e-mail or fax. The target of the complaint must be identified, the privacy violations or omissions defined, and the complaint filed within 180 days of when the covered incident occurred. Given a showing of “good cause”, OCR may extend the filing deadline by another 180 days.
Circumstances When Personal Health Information Can Be Used for Purposes Unrelated to Health Care
Health care information can be provided to employers and for marketing or advertising purposes, such as to list brokers, mailing databases, subscription services and sales agents. However, both of these require written permission by the patient.
Express permission outside the health care arena is not required in cases of: a) Conflict with other laws or when judgment by a court requires access; b) For discovery of evidence to prosecute or defend cases of abuse, neglect or domestic violence; c) To adjudicate the estate of a decedent (such as in the case of a finding of homicide in the case of Michael Jackson the singer); d) For all other law-enforcement activities which are deemed legal ab initio (e.g. the medical and mental health records needed to prosecute the Army psychiatrist Hasan who went on a shooting rampage in Fort Hood, TX); e) When regulatory mandate and the public interest coincide, such as reporting cases of H1N1 flu to the Centers for Disease and Control; f) In cases of organ, eye, or tissue donation to prevent contamination by blood-borne or genetic diseases; g) When there is an official determination of a serious threat to public health or safety; h) To justify or deny workmen’s compensation awards; i) Police procedures that so mandate health care providers, such as in cases of gunshot wounds; j) When needed to ensure that clinics, hospitals, hospices and nursing homes deliver proper care and safety; and, k) In any other case when the essential functions of government so requires it.
Requirements for Covered Entities to Have Written Privacy Policies and Minimum Components of Those Policies
The HIPAA Administrative Simplification standards define covered entities as:
- A health care provider that conducts even a minimal number of transactions in electronic form;
- A health care clearinghouse (e.g. a broker or the kind of exchange contemplated in the “public option” currently under discussion in the U.S. Senate;
- A health insurer or plan vendor (Centers for Medicare and Medicaid Services, 2006a).
References
Centers for Medicare and Medicaid Services (2006a). Are you a covered entity? Web.
U.S. Department of Health & Human Services (n.d.). Privacy and your health information. Web.
U.S. Department of Health & Human Services (n.d.). Health information privacy. Web.