Privacy of and control over your own medical records are the two basic elements of HIPAA. Making sure you receive those benefits requires an understanding of what the law does and does not provide.
Prior to the passage of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), your access to your own medical records and the privacy surrounding them depended on state law. In many states, these basic protections were lackluster at best. HIPAA creates a national standard. Now state laws may provide you with more access and more protection, but they can’t provide you with less.
The most sweeping changes caused by HIPAA are the privacy requirements and the breadth of entities they apply to. Thanks to the law, entities that collect your medical information have had to closely examine their practices to make sure they are in compliance, and make quick changes, if they weren’t. These changes span a wide spectrum from the routine to the comprehensive.
Two examples illustrate the point: 1) assistants in a medical office must turn patient folder so that names cannot be seen by persons walking anywhere in the building, except exam rooms and similarly restricted areas; and 2) employers must erect “firewalls” to prevent an employee’s supervisor from learning too much about the specifics of an employee’s insurance claims.
HIPAA also regulates the flow of information. For example, it requires that only the necessary minimum information that is needed to effect treatment be conveyed in situations such as an emergency where privacy protections can’t be guaranteed. For example, one doctor can call another to discuss your emergency treatment, but it might not be acceptable for the doctor to fax your medical records, even if protections are put in place to guard the fax machine from those who don’t have a right to see such records.
HIPAA coverage is not universal. Certain industries and business are not covered. For example, law enforcement, creditors, and life insurance companies may still gain access to some of your information. In addition, not all employers are covered, and, when they are, the privacy mechanisms can be weak and easily pierced.
Determining whether you are covered can be daunting, so my tip is to assume you are. Many entities have decided it is better to err on the side of caution and adopt procedures consistent with HIPAA and state law requirements. Even when they haven’t, they may decide to accommodate your request because it is easier and cheaper than fighting it. Moreover, if an entity is covered by HIPAA you will receive a privacy notice from them, which takes some of the uncertainly out of the equation.
Some criticize HIPAA for not going far enough. However, if patient privacy is your concern, the law is a large step in the right direction. It is important to understand that HIPAA is merely the “floor” and that states can pass laws that provide even more protection, but not less.
While you probably want the privacy of your medical information preserved, you certainly don’t want it preserved from you. In some cases, medical providers had made it extremely difficult for patients or their surrogates (e.g. a guardian or attorney-in-fact) to obtain comprehensive copies of their medical information. Under HIPAA, a patient has the right to see, copy, and amend their medical information. To initiate access, a person entitled to such access should make a written request. While making a request in writing is not always necessary, it is important to document the fact in the event a dispute arises in the future. Furthermore, a records custodian is not required to grant immediate access. Typically, a provider has at least thirty days to respond to a request.
In addition to providing physical access to your records, HIPAA also puts limits on the amount that can be charged for copying them. State law may further limit such charges. For example, in Ohio, a provider cannot charge more that $0.25 per page. In addition, while a provider can charge the actual cost of mailing the records, they cannot charge for time in compiling them.
In addition to providing you access to your records in most instances, HIPAA also gives you the right to learn who else has accessed your medical records. This can be useful in a variety of ways. For example, you might be treated by several specialists over the course of a particular hospitalization. The ability to track those specialists down might be easier since their accessing your records during the course of treatment will be logged. In addition, like a credit report, you will be able to monitor your medical information to determine if any inappropriate access has been granted.
HIPAA provides accountability in another way by allowing a patient to correct errors in their medical records. This may be important, for example, if an error would affect insurance coverage or a legal claim for a personal injury lawsuit.
Finally, HIPAA provides a process through which you can file a complaint when your rights protected by the law have been violated. Many states go even farther and provide individuals with the right to sue for such violations. In either regard, those responsible for maintaining your medical information are subject to oversight and review to a greater extent than they have been before. Such oversight makes them more accountable to those whose interests they must now protect.
HIPAA is a sweeping law that caused entities that deal with individual’s medical information to make sweeping changes in the way such information was handled. While the law could do more, it has provided individuals with greater privacy, access, and the power of holding others accountable.