PCI
HEALTH TRAINING CENTER
RICHARDSON & DALLAS, TEXAS
Personal Medical Information - Patient Privacy under HIPAA
The Health Insurance Portability and
Accountability Act (HIPAA) of 1996 included patient privacy protections
designed to safe guard the security and confidentiality of health information.
HIPAA was designed to encourage electronic transactions and applies to health
care plans, insurers, pharmacies, doctors and other health care providers.
The effective date of compliance for the majority of health care providers
covered by HIPAA regulations began on April 14, 2003. A complete discussion
of these regulations is beyond scope of this article. However, if you wish
to research further, please visit
www.hhs.gov/ocr/hipaa
Patient Medical Information Protections – Key Provisions
Patient Notice of Privacy Practices: Health
care providers covered by HIPAA such as health plans, doctors and other
health care providers must provide notice to their patients on the use of
personally identifiable medical information and their rights under the patient
privacy regulations. The regulations require that the privacy procedures
be written and include a description of medical staff that has access to
protected information and office disclosure practices. Direct care providers,
such as physicians and other medical professionals will generally provide
this notice on the first office visit after April 14, 2003. Health care
plans are required to mail a copy of the privacy policy to persons enrolled
on April 14, 2003 and anytime significant revisions are made to the policy.
Patients may request that information disclosures be further restricted
but it is up to the discretion of HIPAA covered health care providers on
whether to comply with the patient request.
Patient Access to Medical Records: Patients
generally should be able to view, request corrections to errors, and obtain
copies of their medical records. Health care providers covered by HIPAA
are generally required to provide access to the medical information within
30 days of request and may charge for copying, postage and other incidental
costs.
Use of Personal Medical Information: The privacy
regulations set limits on personally identifiable medical information. The
regulations do not restrict the ability of doctors and other health care
providers to share information that is required in patient treatment. Non
health care delivery related disclosures are generally prohibited and may
require specific patient authorization. Pharmacies, health plans and other
covered entities must obtain specific authorization before disclosing their
patient information for marketing purposes. Any business that provides services
to a covered entity and that may have access to private medical information
must generally follow the same privacy limitations on disclosure and use
of the information.
Employee Training: Entities covered by HIPAA
must train employees in their privacy procedures and designate a person
responsible for ensuring compliance with those procedures. The regulations
provide that personnel who are found to be in violation of privacy procedures
should be subject to appropriate discipline.
Patient Communications: Patients can request
that their doctors, health plans and other health care entities covered
by HIPAA take reasonable steps to ensure that their communications with
the patient are confidential. Generally, covered entities should comply
with a patients request for confidentially if the request can be reasonably
accommodated.
The new regulations are not intended to replace state privacy regulations
that may provide expanded privacy protections for patient information but
rather to provide a minimum standard for patient privacy.