Traditionally, ethical health care has always included the need to keep patients' medical information confidential. However, the Health Insurance Portability and Accountability Act (HIPAA—see www.hhs.gov/ocr/privacy/) has codified the responsibility of health care providers. In HIPAA, the term “health care providers” includes health plans, health care clearinghouses, and health care practitioners who electronically conduct financial and administrative transactions (eg, enrollment, billing, eligibility verification). Key provisions of HIPAA involve the following areas.
Access to medical records
Typically, patients or their authorized representatives should be able to see and obtain copies of their medical records and request corrections if they identify errors.
Notice of privacy practices
Health care providers must provide a notice about their possible uses of personal medical information and about patient rights under HIPAA regulations.
Limits on use of personal medical information
HIPAA limits how health care providers may use individually identifiable (protected) health information. The act does not restrict physicians, nurses, and other practitioners from sharing information needed to treat their patients. However, practitioners may use or share only the minimum amount of protected information needed for a particular purpose. In most situations, personal health information may not be used for purposes unrelated to health care. For example, a patient must sign a specific authorization before a health care provider can release medical information to a life insurer, a bank, a marketing firm, or another outside business for purposes unrelated to the patient's current health care needs.
Marketing is communication designed to encourage people to purchase a particular product or service. HIPAA requires that the patient's specific authorization must be obtained before disclosing information for marketing. Health care providers must disclose any payments that will be received as a result of marketing. However, health care providers can freely communicate with patients about treatment options, products, and other health-related services, including disease-management programs.
Practitioners should take reasonable steps to ensure that their communications with the patient are confidential. For example, physician-patient medical discussions should be in private, or a patient might ask a physician to call their office rather than home. Nonetheless, unless the patient objects, practitioners can share medical information with a patient's immediate family members or someone known to be a close personal friend if the information relates directly to that family member's or friend's involvement with the patient's care or payment for care. Practitioners are expected to exercise professional judgment.
For purposes of the privacy rule, an authorized personal representative of the patient (eg, a proxy appointed in a power of attorney for health care, a state-authorized health surrogate or someone given HIPAA-compliant written authorization to have access to confidential information) should be treated the same as the patient. Thus, the representative has the same access to information and may exercise the same rights regarding confidentiality of information, except that an express HIPAA authorization can specify limits on the representative's authority. Nevertheless, practitioners may restrict information or access if there are reasonable concerns about domestic violence, abuse, or neglect by the representative.
Some communication cannot remain confidential. Health care practitioners are sometimes required by law to disclose certain information, usually because the condition may present a danger to other people. For example, certain infectious diseases (eg, HIV, syphilis, TB) must be reported to state or local public health agencies. Signs of child and, in many states, adult or elder abuse or neglect, typically must be reported to protective services. Conditions that might seriously impair a patient's ability to drive, such as dementia or recent seizures, must be reported to the Department of Motor Vehicles in some states.
Patients may file complaints about compliance with these privacy practices. Complaints can be made directly to the health care practitioner or to the Office for Civil Rights in the US Department of Health and Human Services. Patients do not have a right to file a private lawsuit under HIPAA. There are civil and criminal penalties for misuse of personal health information; however, such penalties should not worry health care practitioners who, in good faith, make reasonable attempts to comply.
Last full review/revision September 2012 by Charles Sabatino, JD