The trusted source for
healthcare information and
Health care providers face a steep learning curve before they master the medical record confidentiality regulations that go into effect two years from now. Health care attorney and health information expert Dan Mulholland of Pittsburgh-based Horty Springer says that initial efforts to consolidate a notice to patients about their privacy rights were futile. "We started trying to draft a notice of privacy policies following the regulations, and we quit after about five pages of small print."
According to Alan Steinberg, also of Horty Springer, that’s why providers must begin acclimating themselves to the central concepts included in the new regulation mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as quickly as possible. He says the basic rule governing health information — technically known as "rules for use and disclosure" — is that providers must obtain the patient’s consent to use and disclose protected health information for treatment purposes, payment purposes, and internal operations.
It actually goes even goes further, Mulholland says. Unlike the proposed regulation, which did not anticipate that providers would have to obtain specific consent in order to use medical records within the hospital, the final regulations mandate that consent be obtained. "The basic rule is that you can’t do anything with this [information] unless they say you can or they say you have to," he explains.
Here are six core concepts Steinberg says providers should pay close attention to as they familiarize themselves with the new privacy mandates:
1. Patients always have rights over protected health information and always have access to that information. The only time providers can use or disclose that information is with the consent of the individual for the purposes of treatment, payment, or internal operations.
2. That does not mean the patient owns the information, says Steinberg. On the contrary, almost every state law on the books says the provider owns the health information. "That stays the same, even though the individual has to consent for usage and further disclosure of it."
3. There are some very specific instances where the consent of the individual is not required. They include cases in which emergency treatment is required and when disclosure is to a family member involved in the patient’s care. Consent also is not required when providers are required by law to treat patients or have an indirect treatment relationship with the patient or where an effort was made but substantial barriers exist.
4. Patient "consent" is distinct from patient "authorization." In short, patient authorization is required whenever records are going to be released for any purpose apart from treatment, payment, or health care operations.
"You can transmit the information to a health insurance company in order to get paid, as long as you have that basic consent," explains Mulholland. "Anything else needs an authorization." Where possible, he says, it helps to distinguish these two critical responsibilities.
5. The individual has the right to at least try to have the covered entity agree to minimize disclosure of protected health information. "You have to pay attention to that," warns Steinberg.
6. HIPAA includes a long laundry list of specific situations where providers can release records without patient authorization.
"It is a little quirky at first to think that someone has to consent for you to use this material all along," argues Steinberg. But he points out that the regulations also say that if patients refuse to give their consent, providers have the right to refuse admission and treatment. Likewise, health plans can deny enrollment if routine consent for treatment, payment or operations purposes is refused.
"That consent does not have to be separate from any other consent," says Mulholland. "You can have it on the same admissions form as long as it is clearly delineated as a separate consent on that form and signed separately."