HIPAA (Health Insurance Portability and Accountability Act)
Beginning April 14, 2003 patients will have greater control over their medical records and the release of their private health information. This is the date the Health Insurance Portability and Accountability Act (HIPAA) of 1996 becomes a federal law and enforces the confidentiality of patient information, while giving patients federal rights (and in some cases, state rights) to gain access to their medical records and restrict who sees their health information.
HIPAA PRIVACY REGULATIONS: FREQUENTLY ASKED QUESTIONS
Q: What is HIPAA?
HIPAA is an acronym that stands for the Health Insurance Portability and Accountability Act of 1996. HIPAA includes privacy regulations that govern the use and disclosure of a patient’s personal health information. Besides privacy regulations, HIPAA creates new standards for administrative transactions and the security of personal health information.
Q: Who must follow HIPAA?
Only “covered entities” are subject to HIPAA. There are three types of covered entities: health care providers, (including hospitals, physicians and emergency medical or ambulance personnel), health plans, and health care clearinghouses.
Q: How does HIPAA affect me as a patient?
HIPAA allows health care providers to use and disclose your health information without your consent for purposes of providing treatment to you, obtaining payment for health care services provided to you, and for the health care provider’s internal operations. For most other uses or disclosures, a health care provider will obtain your written permission before using or disclosing your personal health information. There are some exceptions where your permission is not required, such as releasing information to health officials or law enforcement under certain circumstances.
HIPAA also gives you certain rights regarding your personal health information:
- The right to inspect and copy your personal health information
- The right to request amendments to your personal health information
- The right to receive an accounting of certain disclosures of your personal health information made by the health care provider.
Q: Will doctors be able to release my health information to other doctors under HIPAA?
Yes, under HIPAA, a doctor can release personal health information about you to other doctors who are involved in your treatment. A doctor can also release personal health information about you to another doctor who needs that information for purposes of obtaining payment for services provided to you.
Q: Will HIPAA change the way health care providers release personal health information to the media?
Yes, under HIPAA, hospitals may maintain a directory that may only include a patient’s name, location in the hospital, general condition (e.g., “treated and released,” “fair,” “critical”), and religious affiliation. If a hospital chooses to maintain a directory, a patient has the opportunity to object to or restrict the use or disclosure of information contained in the directory. If a patient does not object to this information being included in the directory, a reporter asking for the patient by name can be privy to the general condition of the patient. If the media does not ask for the person by name, no personal health information about the patient may be disclosed.
Q: What about patients who are unconscious or otherwise unable to give advance permission for release of their information?
Under HIPAA, where the opportunity to object or restrict the use or disclosure of information cannot be practically provided because the individual is unconscious or incapacitated in some way, the health care provider may disclose the patient’s general condition if the disclosure is (1) consistent with a prior expressed preference of the individual, if any, that is known to the health care provider; and (2) in the individual’s best interest as determined by the covered health care provider, in the exercise of professional judgment.
Q: Can a hospital confirm that a patient has died?
Although hospitals have traditionally release information about patient deaths to the media upon request, HIPAA allows the disclosure of such information only in response to certain law enforcement inquiries; to coroners; medical examiners and funeral directors to allow them to do their jobs; and to family, a personal representative or another person directly responsible for the patient’s care. Reports to public health authorities in their role of collecting vital statistics are also allowed.
One exception to this prohibition would be within the facility directory exception discussed earlier. If the patient is still within the facility, then death is a condition that may be disclosed as a general condition of the patient after next of kin has been notified. No other details, however, about the circumstances, cause, time, etc. can be released without written authorization from the patient’s representative. If the deceased patient has been removed from the facility, then the facility must obtain a signed authorization from the patient’s personal representative to release information about the patient’s death.
Q: Do restrictions on the release of patient information change if a disaster occurs?
Yes, hospitals and other health care providers may disclose patient information to a public or private entity authorized by law or its charter to assist in disaster relief efforts. Information also may be released to these types of organizations for the purpose of coordinating with such entities in contacting a family member, personal representative or person directly responsible for a patient’s care.
Q: How does HIPAA apply to release of personal health information of minor children?
Unemancipated minor children (under the age of 18) may have information released with the consent of a parent or legal guardian. Emancipated minors and minors who are authorized to consent to specific medical procedures under Colorado law retain control over the use and disclosure of their health information, and authorization for release of information must be obtained from the minor in these situations.
Q: Are there other restrictions on the release of patient information in addition to HIPAA?
State and other federal laws may impose specific limitations on the disclosure of personal health information. For example, patients admitted to an alcohol or drug treatment program that receives any federal support are entitled to complete confidentiality under federal law, and information relating to that treatment, including whether the patient is in the program, can only be released under certain circumstances.
Q: Are there situations in which hospitals may establish policies for release of patient information that are stricter than those provided by HIPAA?
HIPAA establishes a minimum acceptable threshold for the use and release of patient health information. State and other federal law as well as hospital policies may establish stricter standards. For example, hospitals are typically very cautious about releasing information about any patient associated with the commission of a crime or where the safety and security of both patients and hospital personnel may be jeopardized.
Q: When do the HIPAA privacy rules become effective?
HIPAA became effective on April 14, 2001, but the privacy rules will not be enforced until April 14, 2003.
Q: What can I do if I believe that my personal health information has been use or disclosed improperly?
You can file a complaint with the privacy office of your health care provider. You can also file a complaint with the Secretary of the U.S. Department of Health and Human Services (DHHS).
Q: How are violations enforced?
The U.S. Department of Health and Human Services Office of Civil Rights is responsible for enforcing HIPAA. If you file a complaint with DHHS, the DHHS Office of Civil Rights may investigate your complaint and may impose sanctions on the health care provider if a violation is found.
Q: What are the penalties for violations of HIPAA?
The government may impose civil and criminal penalties of as much as $50,000 and/or imprisonment for up to one year. If the offense is one of disclosure under false pretenses, the fine is a maximum of $100,000 and/or imprisonment for up to 5 years. If the offense is committed with the intent to sell, transfer or use patient information for commercial or personal gain or malicious harm, the fine is a maximum of $250,000 and/or imprisonment for as long as 10 years.