 |
Traditionally, ethical health care has always included the need to keep patients' medical information confidential. However, the Health Insurance Portability and Accountability Act (HIPAA—see www.hhs.gov/ocr/privacy/) has codified the responsibility of health care providers. In HIPAA, “health care providers” include health plans, health care clearinghouses, and health care practitioners who electronically conduct financial and administrative transactions (eg, enrollment, billing, eligibility verification). Key provisions of HIPAA involve the following areas.
Access to medical records:
Generally, patients should be able to see and obtain copies of their medical records and request corrections if they identify errors.
Notice of privacy practices:
Health care providers must provide a notice about their possible uses of personal medical information and about patient rights under HIPAA regulations.
Limits on use of personal medical information:
HIPAA limits how health care providers may use individually identifiable (protected) health information. The act does not restrict physicians, nurses, and other practitioners from sharing information needed to treat their patients. However, practitioners may use or share only the minimum amount of protected information needed for a particular purpose. In most situations, personal health information may not be used for purposes unrelated to health care. For example, a patient must sign a specific authorization before a health care provider can release medical information to a life insurer, a bank, a marketing firm, or another outside business for purposes unrelated to the patient's current health care needs.
Marketing:
Marketing is communication designed to encourage people to purchase a particular product or service. HIPAA requires that the patient's specific authorization must be obtained before disclosing information for marketing. The health care practitioner must disclose any payments that will be received as a result of marketing. However, health care practitioners can freely communicate with patients about treatment options, products, and other health-related services, including disease-management programs.
Confidential communications:
A patient can request that health care practitioners take reasonable steps to ensure that their communications with the patient are confidential. For example, patients could ask a physician to call their office rather than home. Nonetheless, unless the patient objects, practitioners can share medical information with a patient's immediate family members or someone known to be a close personal friend if the information relates directly to that person's involvement with the patient's care or payment for care. Practitioners are expected to exercise professional judgment.
For purposes of the privacy rule, an authorized personal representative of the patient (eg, a proxy appointed in a power of attorney for health care or a state-authorized decision-making surrogate) should be treated the same as the patient. Thus, the representative has the same access to information and may exercise the same rights regarding confidentiality of information. Nevertheless, practitioners may restrict information or access if there are reasonable concerns about domestic violence, abuse, or neglect by the representative.
Some communication cannot remain confidential. Health care practitioners are sometimes required by law to disclose certain information, usually because the condition may present a danger to other people. For example, certain infectious diseases (eg, HIV, syphilis, TB) must be reported to state or local public health agencies. Conditions that might seriously impair a patient's ability to drive, such as dementia or recent seizures, must be reported to the Department of Motor Vehicles in some states.
Complaints:
Patients may file complaints about compliance with these privacy practices. Complaints can be made directly to the health care practitioner or to the Office for Civil Rights in the US Department of Health and Human Services. Patients do not have a right to file a private lawsuit under HIPAA. There are civil and criminal penalties for misuse of personal health information; however, such penalties should not worry health care practitioners who, in good faith, make reasonable attempts to comply.
Last full review/revision October 2007 by Charles Sabatino, JD
Content last modified October 2007
| |
|
