The trusted source for
healthcare information and
Comprehensive standards governing when, how, and to whom you can release medical record information of your patients has been unveiled by the Department of Health and Human Services. The new privacy regulations stem from the Health Insurance Portability and Accountability Act and protect the medical records and other personal health information maintained by health care providers, hospitals, health plans and health insurers, and health care clearinghouses.
"For the first time, all Americans — no matter where they live, no matter where they get their health care — will have protections for their most private personal information, their health records," former HHS Secretary Donna Shalala said when the standards were released in January. The regulations take effect in 2003.
Congress mandated the regulation after it failed to pass comprehensive medical privacy legislation. The new standards:
The final regulation covers paper, oral, and electronic health related information and communications. The final rule also requires that most providers get their patients’ consent for both routine use and disclosure of health records and non-routine disclosures. The earlier version had proposed allowing routine disclosures without advance consent — disclosures for purposes of treatment, payment, and health care operations (such as internal data gathering by a provider or health care plan).
The requirements for advance written consent for routine purposes are similar to the practice most patients are accustomed to when they visit a doctor or hospital today, said Shalala. However, the regulation provides additional protection by requiring that patients also be given detailed written information on their privacy rights and how their information will be used.
Among other changes the proposed rule:
• Allows disclosure of the full medical record to providers for treatment purposes. For most disclosures, such as health information submitted with bills, providers may send only the minimum information needed for the purpose of the disclosure. However, for purposes of treatment, health care providers need to be able to transmit more detailed information to other providers. The final rule gives providers full discretion in determining what personal health information to include when sending patients’ medical records to other providers for treatment purposes.
• Protects against unauthorized use of medical records for employment purposes. Companies that sponsor health plans will not be able to access personal health information from the sponsored plan for employment-related purposes, without authorization from the patient.
Here are some basics of the new regulations:
• Who’s covered. The regulation covers health plans, health care clearinghouses, and health care providers who conduct certain financial and administrative transactions (e.g., billing and funds transfers) electronically.
• Information protected. All medical records and other individually identifiable health information held or disclosed by a covered entity in any form, whether communicated electronically, on paper, or orally, is covered by the final regulation.
• Patient education. Providers and health plans are required to give patients a clear written explanation of how they can use, keep, and disclose their health information. Patients must be able to see and get copies of their records, and request amendments. In addition, a history of most disclosures must be made accessible to patients.
• Receiving patient consent before information is released. Patient authorization to disclose information must meet specific requirements. Health care providers who see patients are required to obtain patient consent before sharing their information for treatment, payment, and health care operations purposes.
In addition, specific patient consent must be sought and granted for non-routine uses and most non-health-care purposes, such as releasing information to financial institutions determining mortgages and other loans, or selling mailing lists to interested parties such as life insurers. Patients also have the right to request restrictions on the uses and disclosures of their information.
• Ensuring that consent is not coerced. Providers and health plans generally cannot condition treatment on a patient’s agreement to disclose health information for non-routine uses.
• Providing recourse if privacy protections are violated. People have the right to complain to a covered provider or health plan, or to the Department of Health & Human Services, about violations of rule.
• Boundaries on medical record use and release. With few exceptions, individual health information can be used for health purposes only. Patient information can be used or disclosed by a health plan, provider, or clearinghouse only for purposes of health care treatment, payment and operations. Health information cannot be used for purposes not related to health care — such as by employers to make personnel decisions, or by financial institutions — without explicit authorization from the individual.
• Providing the minimum amount of information necessary. Disclosures of information must be limited to the minimum necessary for the purpose of the disclosure. However, this provision does not apply to the transfer of medical records for purposes of treatment, since physicians, specialists, and other providers need access to the full record to provide best quality care.
• Ensuring informed and voluntary consent. Non-routine disclosures with patient authorization must meet standards that ensure the authorization is truly informed and voluntary.
• Security of personal health information. While the regulation establishes privacy safeguard standards that covered entities must meet, it leaves detailed policies and procedures for meeting these standards to the discretion of each provider. However, providers must:
— adopt written privacy procedures. These must include who has access to protected information, how it will be used within the entity, and when the information would or would not be disclosed to others. They must also takes steps to ensure that their business associates protect the privacy of health information.
— train employees and designate a privacy officer. Covered entities must provide sufficient training so that their employees understand the new privacy protection procedures, and designate an individual to be responsible for ensuring the procedures are followed.
— establish grievance processes. Covered entities must provide a means for patients to make inquiries or complaints regarding the privacy of their records.
Exceptions. The standard also creates specific exceptions that permit the disclosure of health information without individual authorization under the following circumstances: oversight of the health care system, including quality assurance activities; public health; research, generally limited to when a waiver of authorization is independently approved by a privacy board or institutional review board; judicial and administrative proceedings; limited law enforcement activities; emergency circumstances; identification of the body of a deceased person, or the cause of death; facility patient directories; and activities related to national defense and security.