Privacy / HIPAA issues

The following information was discussed by Attorney Whitney Hughes on the September 11, 2007 edition of Legal Briefs on KDKA's Pittsburgh Today Live Show.

Many times we field questions from individuals asking about whether or not their privacy rights have been violated in any given situation, but most often when dealing with medical records.

The Basics:

The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996 to set a national standard for electronic transfers of health data. At the same time, Congress saw the need to address growing public concern about privacy and security of personal health data. Actually writing the rules on privacy as well as enforcing them eventually fell to the U.S. Department of Health and Human Services (HHS).

Common Questions:

I’ve heard so much about how HIPAA has changed things but what exactly does it do?

HIPAA does 9 things:

  1. HIPAA sets a national standard for accessing and handling medical information. Before HIPAA, your right to privacy of health information varied depending on what state you live in. Now, health care providers, health plans, and other health care services that operate in all states have to abide by the minimum standards set by HIPAA.

    States can adopt laws that give you more privacy, but it cannot take away the basic rights given by HIPAA. Pennsylvania does NOT have a comprehensive statute which protects the privacy of confidential medical information.
  1. Access to your own medical records is now guaranteed by federal law. Before HIPAA was enacted, only about half the states had laws requiring patients to be able to see and copy their own medical records. Now HIPAA gives everyone the right to see, copy, and request to amend his/her own medical records. You can be charged for copies of your records, but HIPAA sets limits on the fees.
  1. Notice of privacy practices aabout how your medical information is used and disclosed must now be given to you. You should get a notice the first time you visit your doctor after the HIPAA Privacy Rule took effect. The notice should also be available in the health care facility. It must tell you how to exercise your rights under the Rule. Tthe notice must explain how to file a complaint with your health care provider and with the HHS Office of Civil Rights.
  2. HIPAA now requires an accounting of disclosures of your health information. You can find out who has accessed your health records for the prior six years, although there are several exceptions to the accounting requirement. For example, accounting is not required when records are disclosed to the many individuals who see your records for treatment, payment, and health care operations.
  3. You can file a complaint with your health care provider and/or with the HHS if you believe a health care provider or health plan has violated your privacy.
  4. Special requests for confidential communications should be granted, if reasonable. You might prefer that telephone calls about your treatment be made to your home rather than your office, or you might want notices like appointment reminders sent to a post office box instead of your home address.
  5. HIPAA now requires certain administrative requirements for organizations such as staff training, the appointment of a privacy officer, and establishment of formal safeguards.
  6. You have a choice when it comes to having your name included in a hospital directory. You can also choose to have your medical information discussed with designated immediate family members, close friends, or relatives.
  7. Penalties, both civil and criminal, are authorized by the HIPAA Privacy Rule if the government brings a lawsuit for violations.  Keep in mind that HIPAA does not allow for a private cause of action. It does not allow you to sue the health care provider.

What are the problems with HIPAA? What did they leave out?

Your consent to the use of your medical information is not required if it is used or disclosed for treatment, payment, or health care operations. Since your consent is not required for payment, your health care provider can submit a claim to your insurance company—even for a procedure you wanted to keep private and intended to pay for yourself.

Your past medical information may become available, even if you thought the information was long buried and would remain private. An event, treatment, or procedure from your distant past can be disclosed the same as information about current conditions.

Your private health information can be used for marketing and may be disclosed without your authorization to pharmaceutical companies or businesses looking to recall, repair, or replace a product or medication.

You have no right to sue under HIPAA for violations of your privacy. In other words, you do not have a "private right of action." Only the HHS or the U.S. Department of Justice has the authority to file an action for violations of the Privacy Rule.

Law enforcement access to protected health information under HIPAA is a significant concern of privacy and civil liberties advocates. Some disclosures may be made to law enforcement without a warrant or court order.

Does this just apply to doctor’s offices? Who Is Covered by HIPAA?

HIPAA pertains to three categories of "covered entities"— health care providers, health plans, and health care clearinghouses.

Health care providers are covered if they transmit health information electronically. Keep in mind that it is nearly impossible to provide health care today without using electronic means in some way.

As long as information is transmitted electronically, "health care provider" includes your doctors, hospitals, staff involved in your treatment, laboratories, pharmacists, dentists, and many others that provide medical, dental, and mental health care or treatment. In short, a provider is almost anyone in the business of providing health care who is licensed or regulated by the states.

Health plan means anyone that pays for the cost of medical care. This includes: health insurance companies, HMOs (health maintenance organizations), group health plans sponsored by your employer, Medicare and Medicaid, and virtually any other company or arrangement that pays for your health care.

Health care clearinghouses are organizations that work as a go-between for health care providers and health plans. An example of this would be a billing service.

What kind of information is covered by the HIPAA Privacy Rule?

HIPAA covers any information about your past, present, or future mental or physical health including information about payment for your care. To be covered by HIPAA, information has to be kept by a covered entity—a health care provider, health care plan, or health care clearinghouse. This, combined with some fact that identifies you (your name, address, telephone number, Social Security number) is called "protected health information" or PHI. PHI can be oral, handwritten, or entered into a computer. This means a conversation between a doctor and nurse about your condition has the same general protections as information written on your records.

When can information be used without my consent?

Consent for use of your information is not the same as consent for treatment.  HIPAA doesn’t change the general requirement that a health care provider needs your consent before treating you.

A covered entity is allowed to seek your consent, and some state laws require patient consent for treatment, payment, and other disclosures. A covered entity is required to make a good faith effort to obtain your acknowledgment that you received a notice of privacy practices, but this is not the same as obtaining consent.

Your consent is not required when your medical information is used for treatment, payment, or for health care operations or when your information is used by a business associate of your health care provider or plan.

Does HIPAA allow me to get my original records?  

No. HIPAA only gives you the right to get copies of your records. Or, if you choose, you can ask to see your medical records or ask for a summary of your medical file. You will have to pay for those as well.

Do I have to submit a written request for my medical records and when will I get them?

HIPAA does not require a written request. However, if your provider requires a written request, you must be given notice of this. Some providers may have a form specifically for this purpose, or the provider's privacy policy should tell you how to request your medical records.

Even if your doctor does not require a written request, it is always a good idea to put your request in writing. That way, you have a record of important details such as when you filed your request and the record you requested.

Usually, you should get your copies within 30 days of the request. Under HIPAA, if the process takes more than 30 days, you must be given a reason.

My employer sponsors a group health plan? Can my boss see my medical claims?

HIPAA says that the group health plan can tell your employer whether you are enrolled in the plan or not. Your employer can also get from the group plan what is called "summary" information to use to obtain premium bids or changes in coverage. If the health information your employer receives goes beyond the basic summary, then HIPAA requires the employer to establish procedures much like that of a covered entity.

What can I do if someone violates the HIPAA Privacy Rule?

You don't have the right to sue under HIPAA. The most you can do is file a complaint. The privacy notice you receive from your health care provider or plan is required to tell you how to file a complaint within the organization. The notice should also tell you how to contact the HHS Office of Civil Rights. This is the government office charged with enforcing the Privacy Rule.

You must file your complaint within 180 days of the violation, but HHS can extend that time. HIPAA says you cannot be denied treatment because you file a complaint.

Even though the HIPAAA Privacy Rule does not give you the right to sue, other federal or state laws or regulations might give you the right to bring an action in court for violations of your privacy.

As with anything else, if you feel your rights have been violated, you may want to discuss the situation with an attorney.

Call the Allegheny County Bar Association’s Lawyer Referral Service to be referred to an attorney who practices in the area of HIPAA violations or privacy issues.

If you need to speak to an attorney, call our Lawyer Referral Service at 412-261-5555.